Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2008-09-23 11:22:23.0

TN 7556 - Installation of Chain Certificate into Novell Netware 6.0

Question:

How do I install a chain certificate in Novell Netware 6.0?

Answer:

The Novell Certificate Server requires the entire certificate chain (Server Certificate, Intermediate Trusted Root, and Trusted Root Certificate) in order to import certificates issued by an external CA. This is done by using Internet Explorer to create a PKCS #7 envelope. Only when this envelope has been created can the entire certificate chain be imported into the Novell Certificate Server.

Open a Web browser and go to the URL that appears in the confirmation email you received from Entrust. Your certificates are displayed. The Entrust SSL certificate is in the section named "Entrust SSL certificate".

Your certificate will look something like this:

-----BEGIN CERTIFICATE-----
MIIC4zCCAkygAwIBAgIBAzANBgkqhkiG9w0BAQUFADBFMQswCQYD
VQQGEwJVUzEYMBYGA1UEChMPR1RFIENvcnBvcmF0aW9uMRwwGgYD
VQQDExNHVEUgQ3liZXJUcnVzdCBSb290MB4XDTAxMDgyMTIwMDIw
OVoXDTA2MDEwMTIzNTkwMFowgcMxCzAJBgNVBAYTAlVTMRQwEgYD
VQQKEwtFbnRydXN0Lm5ldDE7MDkGA1UECxMyd3d3LmVudHJ1c3Qu
bmV0L0NQUyBpbmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikx
JTAjBgNVBAsTHChjKSAxOTk5IEVudHJ1c3QubmV0IExpbWl0ZWQx
OjA4BgNVBAMTMUVudHJ1c3QubmV0IFNlY3VyZSBTZXJ2ZXIgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwgZ0wDQYJKoZIhvcNAQEBBQAD
gYsAMIGHAoGBAM0ogzRUG4nzD683kTH/rzFgyajoshBo7Z/nkzbx
CmS7R/UEFz8jR03FJxmBJgxUcg2ILdkfmhKfvLNx04AZP0dme4w1
KNK5Ct8k2pzWUHmBelrTN/fCStgpkiZk0eSYbDoAivU0m2X47eMQ
//24SVjcoN6COWuBsRYZYblUtuZDAgEDo2YwZDAPBgNVHRMECDAG
AQH/AgEDMA4GA1UdDwEB/wQEAwIBBjBBBgNVHR8EOjA4MDagNKAy
hjBodHRwOi8vY2RwLmJhbHRpbW9yZS5jb20vY2dpLWJpbi9DUkwv
R1RFUm9vdC5jZ2kwDQYJKoZIhvcNAQEFBQADgYEAgbZwffFU+Fjj
NYTSoUFyRAAysIauOknVaLteQPQJxBGLMhXGdfejVBTWLb1UTFBQ
XNNCiqm8Co+dYikuVB+0/1habRkb+k4vFe6tn5IvQMnfhZbSJNoX
n5IlGVDWQYlfC0/R1wjfv+U6rzTJbJ7WXX0Ka5jKLKuckXNvu7Eq
OA4=
-----END CERTIFICATE-----

Copy your certificate into a text editor and save the new file with a .crt extension ( ex. Servercertificate.crt)

From your certificate pickup page, you will see a section entitled 'Entrust L1B Chain Certificate'. This certificate will look something like this:

-----BEGIN CERTIFICATE-----
MIIFkTCCBHmgAwIBAgIEOGPFrjANBgkqhkiG9w0BAQUFADCBtDEUMBIGA1UEChML
RW50cnVzdC5uZXQxQDA+BgNVBAsUN3d3dy5lbnRydXN0Lm5ldC9DUFNfMjA0OCBp
bmNvcnAuIGJ5IHJlZi4gKGxpbWl0cyBsaWFiLikxJTAjBgNVBAsTHChjKSAxOTk5
IEVudHJ1c3QubmV0IExpbWl0ZWQxMzAxBgNVBAMTKkVudHJ1c3QubmV0IENlcnRp
ZmljYXRpb24gQXV0aG9yaXR5ICgyMDQ4KTAeFw0wODA4MjUxODE0MjZaFw0xODA4
MjUxODQ0MjZaMIIBNDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIElu
Yy4xODA2BgNVBAsTL0FORCBBRERJVElPTkFMIFRFUk1TIEdPVkVSTklORyBVU0Ug
QU5EIFJFTElBTkNFMUcwRQYDVQQLEz5DUFMgQ09OVEFJTlMgSU1QT1JUQU5UIExJ
TUlUQVRJT05TIE9GIFdBUlJBTlRJRVMgQU5EIExJQUJJTElUWTE5MDcGA1UECxMw
d3d3LmVudHJ1c3QubmV0L0NQUyBpcyBpbmNvcnBvcmF0ZWQgYnkgcmVmZXJlbmNl
MR8wHQYDVQQLExYoYykgMjAwOCBFbnRydXN0LCBJbmMuMS4wLAYDVQQDEyVFbnRy
dXN0IENlcnRpZmljYXRpb24gQXV0aG9yaXR5IC0gTDFCMIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA3CH1aPl6zofyeN/YO00GfcYk5KnNnQFW5PZxF6p/
dSIY5HRtGz5W1bGmHt1ZJlPKBua6C283u6jGnBU7BhuHDMIaTdOBrttQZaU6ZE8w
NJorqR/9K9E4cRlo8o7re8lAPEjEGbG3ECXvRKfmd5t9Ipre2F7Zw87JcSK7ru8F
1vIX51Z44VMFSiZzuMdJZ5MjD1ayj93JWQXlYxW0h35ARum1AHsDtA3klmcs3htZ
CxofuGNErsHXRIfEkVmcAENtxt8KsLEEzf6+MF46JXLdoj7tRjrHpFxc5CXyEwfo
rtqbGZui2WCdzpBHamF7QOgUwv4vhFpmF8CX00k43mMCnwIDAQABo4IBJjCCASIw
DgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wMwYIKwYBBQUHAQEEJzAl
MCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAyBgNVHR8EKzAp
MCegJaAjhiFodHRwOi8vY3JsLmVudHJ1c3QubmV0LzIwNDhjYS5jcmwwOwYDVR0g
BDQwMjAwBgRVHSAAMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly93d3cuZW50cnVzdC5u
ZXQvQ1BTMB0GA1UdDgQWBBT18paIfQ3zKvlO5zSgvUZ+E9YWyDAfBgNVHSMEGDAW
gBRV5IHREYC+2Im5CKMx+aEkCRa5cDAZBgkqhkiG9n0HQQAEDDAKGwRWNy4xAwIA
gTANBgkqhkiG9w0BAQUFAAOCAQEACyU8WPqO3KJCO3ZxbmzUTyu5U1yyWLmx3G8a
5OPEUPJBgrr0fcfB+fqMU7+5YrdJ4x0K/B/WxHZqk8t3Hix/0D8WY0xyTGdgD/iA
1qeayqIzkQ9EsmY9jmgMQIUSN5G5gnc0WS1c34JuLLZ60gSQZ2hLcPwtuP+QZG9+
kffRRzPzW7hYLiHYdWAbE8z4sqj6aqkqWk9FhUC03TQFt3DKAe/hgecRUNs+4tcQ
LmoVf7fUo2KyiWlhV8Z/jp7UJHrzoUNfoHqJ3FnNfdd1p7xT1Uc1xjEwIJ+burWD
5olVAU2RO9aJNYc8g2t6KYLUS9TmFnSwARCraQYUN3v3ZjA6xQ==
-----END CERTIFICATE-----

Copy this certificate into a text editor, and save the new file with a .crt extension ( ex. L1BChaincertificate.crt)

Now that you have saved the server certificate and chain certificate, you are ready to create a PCKS #7 envelope.

How to create a PCKS #7 envelope with Microsoft Internet Explorer

Importing Certificates into Internet Explorer

To create the PKCS #7 envelope needed for Novell, you must import all certificates into your IE browser, and then export these certificates into one file. The following steps will guide you through this process.

Importing the server certificate into Microsoft Internet Explorer:

1. Open Microsoft Internet Explorer
2. From the browser window, select 'Tools', then 'Internet Options'
3. Select the 'Content' Tab
4. Click the 'Certificates' button
5. Click the 'Other People' tab
6. Click the 'Import' Button - The 'Certificate Installation Wizard' appears
7. Click next.
8. Browse to the saved file that contains the server certificate as outlined above ( ex, servercertificate.crt )
9. Click Next
10. Ensure the 'Automatically select the certificate store based on the type of certificate' radio button is selected
11. Click Next
12. Click Finish
13. Click the OK button to the 'Import Successful' message.

You have successfully imported your server certificate into Microsoft Internet Explorer.

Importing the Entrust Chain Certificate into Microsoft Internet Explorer:

1. Open Microsoft Internet Explorer
2. From the browser window, select 'Tools', then 'Internet Options'
3. Select the 'Content' Tab
4. Click the 'Certificates' button
5. Click the 'Intermediate Certification Authorities' tab
6. Click the 'Import' Button - The 'Certificate Installation Wizard' appears
7. Click next.
8. Browse to the saved file that contains the chain certificate as outlined above ( ex, L1BChaincertificate.crt )
9. Click Next
10. Ensure the 'Automatically select the certificate store based on the type of certificate' radio button is selected
11. Click Next
12. Click Finish
13. Click the OK button to the 'Import Successful' message.

You have successfully imported your chain certificate into Microsoft Internet Explorer.

Verifying the chain of trust:

The following steps will verify that the certificate import steps from above have been followed correctly, and that a proper chain of trust will exist in the PKCS #7 envelope.

1. Open Microsoft Internet Explorer
2. From the browser window, select 'Tools', then 'Internet Options'
3. Select the 'Content' Tab
4. Click the 'Certificates' button
5. Select the 'Other People' tab.
6. In the 'Issued To' field, locate the server certificate you imported in the steps above.
7. Highlight the server certificate and click the 'View' button
8. From the certificate window that appears, select the 'Certification Path' tab
9. In the 'Certification Path' window, you should see the chain of trust for your certificates.
10. Three levels should exist in this window as follows :
    • At the top of the chain 'Entrust.net Certification Authority (2048)' should be displayed - this is the Root Certificate
    • Immediately below the root certificate 'Entrust Certification Authority - L1B ' should be displayed - this is the Chain Certificate
    • Finally, the last certificate in the lineage should be the server certificate Entrust issued to you - this is the server certificate.
11. If all certificates are present, the chain of trust is complete. Please proceed to 'Exporting your certificates into a PKCS7 envelope'
12. If the chain or server certificate is not present, please repeat the steps above for Importing the server and chain certificate.

You should now follow the 'Verifying the chain of trust' steps above.

Once the chain of trust has been verified, please proceed to Exporting your Certificates into a PKCS7 envelope.

Exporting your certificates into a PKCS7 envelope

1. Open Internet Explorer
2. Select Tools
3. Select Internet Options
4. Select the Content Tab
5. Click on Certificates
6. Click the 'Other People' tab
7. Locate your web server certificate imported in the 'Importing the server certificate into Microsoft Internet Explorer' step
8. Highlight your web server certificate
9. Click Export - The certificate export wizard appears
10. Click Next
11. Select the radio button for "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)
12. Ensure the checkbox for 'Include all certificates in the certification path if possible' is checked.
13. Click Next
14. Specify a filename and location for your P7B envelope - Click Next
15. Click Finish.

You have now exported your certificate into a PKCS #7 envelope and are ready to import your certificate into Novell Netware. Please proceed to "Importing your PKCS #7 envelope into Novell"

Importing your PKCS #7 envelope into Novell

1. In Console One, locate the KMO(Key Material) used to create your CSR(certificate signing request)
2. Right click the KMO and select Properties
3. Click the Certificates tab.
4. Click the Import Button - The Import Server Certificates window appears
5. Check the box for 'No Trusted Root Certificate available'
6. Click Next
7. Click the 'Read from file' button
8. Locate the PKCS #7 envelope you exported in the above steps. (note - to locate the file with the .p7b extension, you will have to specify .p7b file type in the 'Files of type' dropdown)
9. Once you have located your .p7b file, click Open
10. Click Finish

You have completed importing your PKCS #7 envelope into Novell Netware. You can close your certificate properties box by selecting either OK, Cancel, or by closing the window using the X in the top right hand corner.

Affected Products:

• Entrust Certificate Services Enhanced Service Account Version Not Applicable Language Not Applicable Platform Not Applicable