LDN - Luminis Developer Network

I recently ran into an issue generating a CSR for a new  SSL Cert with Extended Validation on our Luminis III server. The problem is that iPlanet 6 can only generate a CSR for 1024 bit. iPlanet 7 can generate a CSR for 2048, but Luminis III does not use iPlanet 7. I had to downgrade one of our SSL Certs so that I could apply the new cert.

I hope this information helps you.

Finally got the 2048 bit done.  Using command lines SCT was able to find a way to import the new 2048 bit root for IPSca, then generate a 2048 bit request.  There seems to be something wrong with my installation though because the only way we could get the new server cert. installed was for SCT to import it on one of their machines and send me the fixed .key and .db files.  What a mess.

I just ran into this issue. A few months from going live with Luminis 4, and realizing our Luminis 3 cert was about to expire, we attempted to renew the 1024-bit cert (yes, for only a couple of months of usage), but most CA are no longer issuing them. Next, we attempted to generate a 2048 bit CSR, but realized iPlanet 6 can't do that (through admin server). After researching/googling, I found *this* thread. I immediately opened a ticket with SunGard and was given a document detailing how to accomplish this via CLI using the certutil application. I got to step 3 and certutil generated a cert8.db and key3.db, instead of the documented cert7.db.

Further research provided several options to install an older version of certutil, capable of generating the cert7.db. I opted to install Directory Server Resource Kit 5.2.1. The certutil bundled there can generate the cert7.db file combo needed by iPlanet. From there, I was able to follow the documentation provided by SunGard and install a 2048-bit SSL cert the day before the old one expired. :) Here is the document provided by SunGard (modified slightly for *ahem* space):

---File---
1) Make a backup of the $CP_ROOT/products/ws/alias directory
2) Create a tmp directory for the new certificate DB ex…. Cd $CP_ROOT, mkdir cert
3) Create the cert db/location files
Run the certutil program which is located in the $CP_ROOT/products/ws/bin/https/admin/bin directory
Ex.

./certutil –N –d
Example using the cert directory above
./certutil –N –d $CP_ROOT/cert
Before it creates the keydb, the certutil program prompts you for a password (use the password that is in the $CP_ROOT/products/ws/config/password.conf file)

4) Create the Cert request

certutil -R –a –g 2048 -s "CN=, OU=, O=, L=, ST=, C=" -o
filename -d
[Example: certutil -R -a –g 2048 -s "CN=my.luminis.edu, OU=Luminis Services, O=Sungard, L=Malvern, ST=Pennsylvania, C=US" -o /opt/luminiscert/certreq.txt -d /opt/luminis/cert]

Before it creates the request file, the Certificate Database Tool prompts you for a password (this is the keydb password you used in Step #1 when creating the keydb)

You will also be asked to type on the keyboard to create a random seed (just type away until the meter is full then hit Enter when prompted)
5) Cut and paste the contents of the certreq.txt file you just created (see example) and send in an email to the client to forward to their CA Authority

-----BEGIN NEW CERTIFICATE REQUEST-----
blablablah
-----END NEW CERTIFICATE REQUEST-----

6) Rename the cert7 and key3 db files in the $CP_ROOT/products/ws/alias directory to .old files

Ex. Mv https-cp-luminishost-key3.db https-cp-luminishost-key3.db.old
Mv https-cp-luminishost-cert7.db https-cp-luminishost-cert7.db.old

7) Copy the cert7.db and key3.db from the tmp/cert directory that was created in the first step
cp /opt/luminis/cert/cert7.db $CP_ROOT/products/ws/https-cp/alias
cp /opt/luminis/cert/key3.db $CP_ROOT/products/ws/https-cp/alias
8) Rename the cert7.db and key3.db files to the original names of the https-cp-luminis host files
EX.
Cd /opt/luminis/products/ws/alias
Mv cert7.db https-cp-luminishost-cert7.db
Mv key3.db https-cp-luminishost-key3.db
9) Once you have the cert back from your CA make sure the Admin Server is started. Once it is started connect to the admin server.
10) Click on the Manage Servers and make sure to choose https-cp
11) Click on the Security Tab, then click on the Install Certificate from the options on the left
Check the This Server option
The password is your passowrd you used at the beginning
Check the Message text (with Headers)
Paste the cert in the box and click on OK

12) The cert should now be installed. Make sure the Webserver is Stopped, and restart it.
13) Now you have a new DB and new cert you will need to run checkssl to import the new cert into the cacerts DB.
---EndOfFile---

Further information I found useful:

http://www.sun.com/bigadmin/features/articles/nis_ldap_part2.jsp
http://www.sun.com/software/products/directory_srvr_ee/get1.jsp
http://forums.sun.com/thread.jspa?threadID=5096901
http://preview.tinyurl.com/cfjuv6

P.S. I also have a documented transcript with another customer, possibly with chamorga, as this thread was referenced in my support session and they looked for that SR. The steps involved there may be helpful to others.