Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

SSL/Certificates

0 views
Skip to first unread message

Ted Politza

unread,
Mar 20, 2003, 1:10:01 PM3/20/03
to
When attempting to issue a certifcate, I receive the following message:
> "The
> > Organization Certificate Authority could not be located or did not
> respond".
> > Any help would be greatly appreciated.


Andy Thompson

unread,
Mar 20, 2003, 1:25:43 PM3/20/03
to
Ted Politza wrote:
> When attempting to issue a certifcate, I receive the following message:
>
>>"The
>>
>>>Organization Certificate Authority could not be located or did not
>>
>>respond".
>>

Do you have a CA in your tree? Is PKI running on the CA?

--

Andy Thompson
Novell Support Connection Volunteer SysOp
(No email support, thanks.)

AndersG

unread,
Mar 20, 2003, 1:29:02 PM3/20/03
to
How many servers?
What server is the CA?

- Anders Gustafsson, Engineer, CNE5, ASE
NSC Volunteer Sysop (http://support-forums.novell.com)
Pedago, The Aaland Islands (N60 E20)
Using VA 4.52 build 277 (32-bit) on Windows 2000 build 2195

Ted Politza

unread,
Mar 20, 2003, 2:29:19 PM3/20/03
to
Under our tree we have a "Security" icon and within the :security" folder we
have a Organizational CA. When I right click and select properties on it, it
says "Insufficient Rights Error". I hit "close" a couple of times and it
opens up.I am logged in as "admin".
"Andy Thompson" <00...@myrealbox.com> wrote in message
news:HInea.24681$j15....@prv-forum2.provo.novell.com...

Ted Politza

unread,
Mar 20, 2003, 2:32:53 PM3/20/03
to
PKI is loaded. We have Three (3) servers
"AndersG" <dal...@nomail.to.me> wrote in message
news:VA.0000386...@nomail.to.me...

AndersG

unread,
Mar 20, 2003, 3:19:01 PM3/20/03
to
Ted Politza,

> PKI is loaded. We have Three (3) servers
>
OK. I suggest you try PKIDIAG.NLM

Ted Politza

unread,
Mar 20, 2003, 3:20:41 PM3/20/03
to
How do I go about using PKIDIAG?

"AndersG" <dal...@nomail.to.me> wrote in message
news:VA.0000386...@nomail.to.me...

Ted Politza

unread,
Mar 20, 2003, 3:55:33 PM3/20/03
to
Ok, I ran pkidiag and received the following error: "A SSL CERTIFICATEDNS
DOES NOT EXIST"????
"Ted Politza" <tpol...@artesianwater.com> wrote in message
news:topea.24826$j15....@prv-forum2.provo.novell.com...

AndersG

unread,
Mar 21, 2003, 3:37:28 AM3/21/03
to
Ted Politza,

> Ok, I ran pkidiag and received the following error: "A SSL CERTIFICATEDNS
> DOES NOT EXIST"????
>
Is there such an object? IIRC had PKIDIAG the ability to create it if you
ask it to fix problems.

Ted Politza

unread,
Mar 21, 2003, 9:25:34 AM3/21/03
to
I ran PKIDIAG and it comes up with one (1) fixable problem (A SSL
CertificateIP does not exist). I keep running PKIDIAG to fix the problem,
but it doesn't. It just says step 6 failed -603. Any ideas would be greatly
appreciated...Thanks, Ted

"AndersG" <dal...@nomail.to.me> wrote in message
news:VA.0000386...@nomail.to.me...

AndersG

unread,
Mar 21, 2003, 10:06:15 AM3/21/03
to
Ted Politza,

> It just says step 6 failed -603.

603 is attribute does not exist.. Something is very wrong there.. Did
you download the updated PKI and try installing it?

Ted Politza

unread,
Mar 21, 2003, 10:13:42 AM3/21/03
to
We are running PKI v 2.03B

"AndersG" <dal...@nomail.to.me> wrote in message
news:VA.0000386...@nomail.to.me...

Ted Politza

unread,
Mar 21, 2003, 11:48:27 AM3/21/03
to
Ok, I delete and recreated to Organizational CA and was able to issue a
certificate. What do I now have to do to use SSL on the webserver,
webaccess, GW, etc. I seem to have a problem with this...Please help!!
Thanks, Ted

"Ted Politza" <tpol...@artesianwater.com> wrote in message
news:G_Fea.25572$j15....@prv-forum2.provo.novell.com...

AndersG

unread,
Mar 21, 2003, 11:53:33 AM3/21/03
to
Ted Politza,

> We are running PKI v 2.03B
>
There is a more recent one than that available.

AndersG

unread,
Mar 21, 2003, 1:17:29 PM3/21/03
to
Ted Politza,

> What do I now have to do to use SSL on the webserver,
> webaccess, GW, etc. I seem to have a problem with this...Please help!!
> Thanks, Ted

OK. Create one or more certificates. Thet are called KMO's or Key
Material Objects in ConsoleOne. Then make sure the services use them.
For example in Apache you change the SecureListen directive to include
your certificate name. Ie:

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10070141.htm

Ted Politza

unread,
Mar 21, 2003, 2:20:30 PM3/21/03
to
Ok, I tried to create the Key Material object and received the following
message: " No Servers were found in this container. A server Certificate can
only be created if the server object to which the server certificate will
belong already exists in the container". Man I am having problems..Any more
ideas???

"AndersG" <dal...@nomail.to.me> wrote in message
news:VA.0000387...@nomail.to.me...

AndersG

unread,
Mar 21, 2003, 2:34:20 PM3/21/03
to
Can you try creating in the container where a server exists?

Ted Politza

unread,
Mar 21, 2003, 3:03:24 PM3/21/03
to
Ok, Here's the latest. I was finally able to create a KMO & issue a
certificate that will be used for SSL. Now, when I turn encryption on in web
server, it attempts to restart and then will be in the "Off" state. It will
not go "On" when I have encryption enabled. Sorry to be such a pain....Ted

"AndersG" <dal...@nomail.to.me> wrote in message
news:VA.0000387...@nomail.to.me...

AndersG

unread,
Mar 21, 2003, 3:17:22 PM3/21/03
to
Ted Politza,

> Now, when I turn encryption on in web
> server, it attempts to restart and then will be in the "Off" state.
>
Is that Netscape? If so, I will have to call in Joe, as I have not
worked with NES for a while..

Ted Politza

unread,
Mar 21, 2003, 4:55:00 PM3/21/03
to
We are using Netware Enterpise Web Server. Is that actually Netscape???

"AndersG" <dal...@nomail.to.me> wrote in message
news:VA.0000387...@nomail.to.me...

AndersG

unread,
Mar 22, 2003, 12:16:23 AM3/22/03
to
Ted Politza,

> We are using Netware Enterpise Web Server. Is that actually Netscape???
>
Version of. I will try to ask Joe in here..

Joseph Moore [SysOp]

unread,
Mar 25, 2003, 11:00:15 AM3/25/03
to
Ted Politza:

> It will
> not go "On" when I have encryption enabled.
>

you have to change magnus.conf to put in the name of your certificate

Joe Moore
Novell Support Connection Volunteer Sysop

http://just.fdisk-it.com - Coming soon:
"Migrating From NetWare Enterprise Web Server to Apache 1.3.x"

http://www.caledonia.net/sysops.html

NO EMAIL PLEASE!!!!!

Ted Politza

unread,
Mar 25, 2003, 3:06:59 PM3/25/03
to
Thanx, I will try that....
"Joseph Moore [SysOp]" <joem@*spam*is*evil*fdisk-it.com> wrote in message
news:VA.0000101...@hostname.not.set.up...

Ted Politza

unread,
Mar 25, 2003, 3:13:10 PM3/25/03
to
Joe, Where in the Magnus.conf file do I put it and what is the syntax.
Thanx, Ted

"Joseph Moore [SysOp]" <joem@*spam*is*evil*fdisk-it.com> wrote in message
news:VA.0000101...@hostname.not.set.up...

Ted Politza

unread,
Mar 26, 2003, 11:02:32 AM3/26/03
to
Thanks...

"Joseph Moore [SysOp]" <joem@*spam*is*evil*fdisk-it.com> wrote in message
news:VA.0000102...@hostname.not.set.up...
> Ted Politza:

>
> > Where in the Magnus.conf file do I put it and what is the syntax.
> >
>
> there should already be in magnus.conf:
>
> Certfile SSL CertificateDNS
> Keyfile SSL CertificateDNS
>
> simply change the SSL CertificateDNS to whatever your certificate name
> is.

Joseph Moore [SysOp]

unread,
Mar 26, 2003, 10:53:17 AM3/26/03
to
Ted Politza:

> Where in the Magnus.conf file do I put it and what is the syntax.
>

there should already be in magnus.conf:

Certfile SSL CertificateDNS
Keyfile SSL CertificateDNS

simply change the SSL CertificateDNS to whatever your certificate name
is.

Joe Moore

Ted Politza

unread,
Mar 26, 2003, 11:31:55 AM3/26/03
to
Joe, The webserver still won't go into the "ON" state. I receive the
following error in the error log report" [26/Mar/2003:11:27:08] failure (
450): startup failure: could not bind to port 443, IP address xxx.x.x.x
(Data temporarily not available)

[26/Mar/2003:11:27:08] failure ( 450): Failure initializing Listen Sockets
"

"Joseph Moore [SysOp]" <joem@*spam*is*evil*fdisk-it.com> wrote in message

news:VA.0000102...@hostname.not.set.up...

Ted Politza

unread,
Mar 26, 2003, 2:34:13 PM3/26/03
to
I ran PKIDIAG and it comes up with one (1) fixable error, but does not fix
it. The error is :"PROBLEM: A SSL CertificateDNS does not exist
FIXING: Creating SSL CertificateDNS (xxx.xxxxxx.com) where xxx is our server
name
Pausing for 5 seconds because of error -1214
ERROR -1214 creating SSL CertificateDNS.
Step 6 failed -1214.

"Joseph Moore [SysOp]" <joem@*spam*is*evil*fdisk-it.com> wrote in message
news:VA.0000102...@hostname.not.set.up...

Joseph Moore [SysOp]

unread,
Mar 27, 2003, 10:17:18 AM3/27/03
to
Ted Politza:

> ERROR -1214 creating SSL CertificateDNS.
>

http://support.novell.com/cgi-bin/search/searchtid.cgi?/10022294.htm

Joseph Moore [SysOp]

unread,
Mar 27, 2003, 10:17:19 AM3/27/03
to
Ted Politza:

> could not bind to port 443,
>

that is because you turned encryption ON, which tells the webserver to
use port 443 instead of 80. NES creates a hardware virtual server
using port 443 as part of the install. If you ONLY want SSL access to
the web server, go into document management in the admin server and
delete the hardware virtual server - otherwise, turn encryption back to
OFF.

Ted Politza

unread,
Mar 27, 2003, 11:20:36 AM3/27/03
to
Ok Hoe, so I deleted the hardware virtual server and then went into the
server again and turned encryption on and it said it couldn't bind to port
80 now. I must be missing something. All I am trying to do is enable SSL on
the server so that webaccess can use SSL...Is there another step I am
missing???

"Joseph Moore [SysOp]" <joem@*spam*is*evil*fdisk-it.com> wrote in message
news:VA.0000103...@hostname.not.set.up...

Joseph Moore [SysOp]

unread,
Apr 1, 2003, 11:48:00 AM4/1/03
to
Ted Politza:

> All I am trying to do is enable SSL on
> the server so that webaccess can use SSL...Is there another step I am
> missing???
>

ok, do you want port 80 at all or just SSL?

post your answer and your magnus.conf and obj.conf

Ted Politza

unread,
Apr 2, 2003, 2:48:33 PM4/2/03
to
I am really looking for SSL encryption for webaccess primarily..

"Joseph Moore [SysOp]" <joem@*spam*is*evil*fdisk-it.com> wrote in message
news:VA.0000103...@hostname.not.set.up...

Joseph Moore [SysOp]

unread,
Apr 3, 2003, 9:33:00 AM4/3/03
to
Ted Politza:

> I am really looking for SSL encryption for webaccess primarily
>

you didn't post the magnus.conf and obj.conf - if you don't want to
post them in public, email them to joem at crowther dot net and I will
see what is wrong.

Ted Politza

unread,
Apr 8, 2003, 10:58:24 AM4/8/03
to
Thanks Joe, I will email them to you...Ted

"Joseph Moore [SysOp]" <joem@*spam*is*evil*fdisk-it.com> wrote in message
news:VA.0000105...@hostname.not.set.up...

Joseph Moore [SysOp]

unread,
Apr 8, 2003, 1:34:28 PM4/8/03
to
Ted Politza:

> I am really looking for SSL encryption for webaccess primarily..
>

OK, I made a change to magnus.conf and obj.conf (and commented them).
These two changes *should* make your web server run SSL on port 443
only. If you need a regular web site on port 80, then create a
hardware virtual server on another IP address using port 80.

Joseph Moore [SysOp]

unread,
Apr 9, 2003, 12:08:51 PM4/9/03
to
Ted Politza:

> Thanks Joe, I will email them to you
>

got em

Ted Politza

unread,
Apr 17, 2003, 2:41:35 PM4/17/03
to
Joe, I finally go pkidiag to run error free, however, now when I restart the
web server it asks me for a password. We didn't set a password up for this.
When I enter something in for a password, it displays the following on the
top of the web server screen: Sec_Findkeybyname: Internal error -8174. Any
ideas?

"Joseph Moore [SysOp]" <joem@*spam*is*evil*fdisk-it.com> wrote in message
news:VA.0000107...@hostname.not.set.up...

Joseph Moore [SysOp]

unread,
Apr 18, 2003, 12:38:17 PM4/18/03
to
Ted Politza:

> web server it asks me for a password
>

try
http://support.novell.com/cgi-bin/search/searchtid.cgi?/10024135.htm

if that doesn't work, try creating a new certificate to use

0 new messages