certificates

[terry712]

this probably isnt really a netware 6 question but i will have more chance of a response

what i want is i need to use ssl for a few web sites - these will just be internal(ish) - at least behind walls and not available via interent

i want to be able to use our nds CA to isssue these certs
is this possible or disired (afraid i am clueless with certificates , pki's and all that kind of stuff - baffles the hell out of me)

now i know i can export a .pfx and then create site and import etc but then i can specify the name - it's just ca .org or what ever - but on m$ucks cert server i can specify a bertie.bassett.co.uk or whatever - how do i do this or good docs etc

just now i get the box and it's the last one that has the issue
you know the one "the name on the security certificate is invalid blah blah"
personally i normally wouldnt care with these - just click yes and login but this web site cant keep issue the box

sorry for the rambles but i really do want to use a m$uck solution

 

[Provogeek]

Certs, arn't they fun?

I have tons of experience with certs, but your question looses me.

You want to do what?

What OS is this Web site running from? what web server is being used? Do all of your workstations know the eDir CA as a trusted root?

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
Brent Schmidt Certified nut case
Senior Network Engineer

http://www.kiscc.com

http://www.bluegunk.com

 

[lgarner]

Two certificates are created by default when you set up a server, one for the server name (i.e. "server01") and one for its IP address. For what you want, you need to create and use another. Create one with the CN that you want, such as "cn=

http://www.mycompany.com,ou=MIS,s=...."

The CN is what the browser matches against what's typed in the URL.

Unless you export and have your users import your CA, you'll always get a warning about the untrusted CA.

 

[marvhuffaker]

If I understand Terry correctly... They have some NT servers and want to use Novell certificates on them for IIS instead of ones from AD certificate services. I have not done this exactly, but in theory I think it could work if you just exported the eDir cert and then imported into IIS or whatever. It's just getting the right format to export and then reimport elsewhere that will be the trick.



Marvin Huffaker, MCNE

http://www.redjuju.com

 

[terry712]

yep sorry for not being clear - english isnt a strong suite of mine

i have a few things for it

1. i need to have some poor souls accessing a frontend owa box so iis6 - all the victims login to their own nt domains (legacy app, pananoia , mistrust issues etc). i had a look at iis 6 resource self cert or getting a verisign etc but they will all be in the same private network or ish - so a self cert etc should be ok. these users are totally seperate from shall we say the proper network - what i want to be able to do was use one from our ca - ie the 6.5 one - i can see how i can export the file etc but obviously get prompts and they would need to import etc or is the iis one etc abetter way - i had a quick play with the ca on a 2003 box and it allows you to crate one and specify a suffix type idea - ie bertie.com mickey.com - does nthe netware one allow this or is it defined by the tree

2. again an iis server for a fronend to some kind of sql - the data is really sensitive and i want it at least over ssl rather than current http:// - this is more or less same as above type scenario - except one of the organistion that access it - thinks "dns will not catch on - ip addresses are so much easier" - beats me

3. changing the groupwise to 7 and wwant to ssl the mail over browser - the 6.5 one is just http://
this is on netware 6.5 and on the apache

 

[LawnBoy]

(legacy app, pananoia , mistrust issues etc)

MY GOD! THEY'VE HIRED YOU TO REPLACE ME!

 

[lgarner]

You can definitely use NW to create certs for IIS, Apache, etc. For IIS, just treat it like requesting a cert from a real CA. Get the CSR and give it to NW.

On the Novell side, I don't recall if you use ConsoleOne or the certificate manager program to create it. I suspect C1, but can't tell you beyond that.

As I mentioned, you certainly can create certs with whatever CN you like-

http://www.mydomain.com,

http://www.paypal.com,

192.168.1.100, whatever. It's not related to the tree.

The cert for a NW server is even easier, just because you don't have to copy it to another server. Apache on NetWare reads it from NDS.

 

[marvhuffaker]

Just want to add to #3....

I have never found a good way to do an http to https redirect by using apache or any apache configuration. And I don't know much about apache as far as any advanced configs.. But there are some caviats that make the redirect difficult to do. If anyone does know a good way within the apache configs, please post.

So what I do to instead, is redirect the main webaccess webpage to HTTPS.

A) I delete the SYS:APACHE2\HTDOCS\INDEX.HTML (This is the language selector prompt for GroupWise if you replaced the original file during the GroupWise install).

B) I create a new index.html file in the same place and put the following in it and save it. This will automatically redirect to the secure port, as well as bypass the language screen. You can see what I mean if you go to http:\\mail.redjuju.com.


---INDEX.HTML file-----

<html>
<head>
<title> GroupWise 7 WebAccess</title>
<meta http-equiv="refresh" content="1; url=https://mail.YOURDOMAIN.COM/gw/webacc">
</head
<body></body>

---END file -----

NOTE #1: Make sure to change the domain to reflect the proper web address.

NOTE #2: GroupWise 7 Webaccess is located at /GW/WEBACC instead of /SERVLET/WEBACC as with GroupWise 6.5. Remember this and avoid many headaches.




Marvin Huffaker, MCNE

http://www.redjuju.com