Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2009-12-16 10:46:59.0

TN 7556 - How do I install a chain certificate into Novell Netware 6.0?

Question:

How do I install a chain certificate in Novell Netware 6.0?

Answer:

The Novell Certificate Server requires the entire certificate chain (Server Certificate, Intermediate Trusted Root, and Trusted Root Certificate) in order to import certificates issued by an external CA. This is done using Internet Explorer to create a PKCS #7 envelope. Only once you create this envelope can you import the entire certificate chain into the Novell Certificate Server.

To install a certificate chain

1. Open a Web browser and go to the URL that appears in the confirmation email you received from Entrust. Your certificates appear. The Entrust SSL certificate is in the section named Entrust SSL certificate.

2. Copy your certificate into a text editor and save the new file with a .crt extension (for example, Servercertificate.crt).

3. From your certificate pickup page, copy the certificate under the section entitled Entrust L1C Chain Certificate to a text editor, and save the new file with a .crt extension (for example, L1CChaincertificate.crt).

Now that you have saved the server certificate and chain certificate, you are ready to create a PCKS #7 envelope. To create the PKCS #7 envelope needed for Novell, you must import all certificates into your Internet Explorer browser, and then export these certificates into one file. The following steps guide you through this process.

To import the server certificate into Microsoft Internet Explorer

1. Open Microsoft Internet Explorer.
2. From the menu, select Tools > Internet Options.
3. Select the Content tab.
4. Click Certificates.
5. Click the Other People tab.
6. Click Import. The Certificate Installation Wizard appears.
7. Click Next.
8. Browse to the saved file that contains the server certificate as outlined above (for example, servercertificate.crt).
9. Click Next.
10. Select Automatically select the certificate store based on the type of certificate.
11. Click Next.
12. Click Finish. An Import Successful message appears.
13. Click OK.

You have successfully imported your server certificate into Microsoft Internet Explorer. Now you must import the chain certificate.

To import the Entrust Chain Certificate into Microsoft Internet Explorer

1. Open Microsoft Internet Explorer.
2. From the browser window, select Tools > Internet Options.
3. Select the Content tab.
4. Click Certificates.
5. Click the Intermediate Certification Authorities tab.
6. Click Import. The Certificate Installation Wizard appears.
7. Click Next.
8. Browse to the saved file that contains the chain certificate as outlined above (for example, L1CChaincertificate.crt).
9. Click Next.
10. Select Automatically select the certificate store based on the type of certificate.
11. Click Next.
12. Click Finish. An Import Successful message appears.
13. Click OK.

You have successfully imported your chain certificate into Microsoft Internet Explorer. Now you must verify the certificate import to ensure a proper chain of trust exists in the PKCS #7 envelope.

To verify the chain of trust

1. Open Microsoft Internet Explorer.
2. From the browser window, select Tools > Internet Options.
3. Select the Content tab.
4. Click Certificates.
5. Select the Other People tab.
6. In the Issued To field, locate the server certificate you imported in the steps above.
7. Highlight the server certificate and click View.
8. From the certificate window that appears, select the Certification Path tab. You should see the chain of trust for your certificates.
9. Three levels should exist in this window as follows:
   • At the top of the chain Entrust.net Certification Authority (2048) should appear. This is the Root Certificate.
   • Immediately below the root certificate, Entrust Certification Authority - L1C should appear. This is the Chain Certificate.
   • The last certificate in the lineage should be the server certificate Entrust issued to you. This is the server certificate.
10. If all certificates are present, the chain of trust is complete. Please proceed to To export your certificates into a PKCS7 envelope. If the chain or server certificate is not present, repeat the procedures above for importing the server and chain certificate.

To export your certificates into a PKCS7 envelope

1. Open Internet Explorer.
2. Select Tools > Internet Options.
3. Select the Content tab.
4. Click Certificates.
5. Click the Other People tab.
6. Locate your Web server certificate imported in the procedure To import the server certificate into Microsoft Internet Explorer.
7. Highlight your Web server certificate.
8. Click Export. The Certificate Export Wizard appears.
9. Click Next.
10. Select Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B).
11. Select Include all certificates in the certification path if possible.
12. Click Next.
13. Specify a filename and location for your P7B envelope and click Next.
14. Click Finish.

You have now exported your certificate into a PKCS #7 envelope and are ready to import your certificate into Novell Netware.

To importing your PKCS #7 envelope into Novell

1. In Console One, locate the KMO(Key Material) used to create your CSR(certificate signing request).
2. Right click the KMO and select Properties.
3. Click the Certificates tab.
4. Click Import. The Import Server Certificates window appears.
5. Select No Trusted Root Certificate available.
6. Click Next.
7. Click Read from file.
8. Locate the PKCS #7 envelope you exported in the above procedure. To locate the file with the .p7b extension, specify the .p7b file type in the Files of type drop-down list).
9. Once you have located your .p7b file, click Open.
10. Click Finish.

You have completed importing your PKCS #7 envelope into Novell Netware.

Affected Products:

• Entrust Certificate Services Enhanced Service Account Version Not Applicable Language Not Applicable Platform Not Applicable