Greetings,

I am in need of some assistance with a project that I have been tasked
with.  I haven't worked with NetWare for at least four years... have
been doing the UNIX thing.

The company that I work for is using Novell NetWare 6.5 and GroupWise
6.5 for their email needs.  The issue that I'm trying to address is
related to SSL encryption between remote users and our email WebAccess
server, which is Apache 2.x running on a Novell NetWare 6.5 Server in
our DMZ.

Our server is configured to use SSL, but it's a self signed
certificate.  I have been asked to install a Chained root 128 bit
Wildcard SSL certificate.  The problem I have is this... where and how
is this done?

I have been told that I do not need to replace the current self signed
certificate because that is used for server to server communication.  I
was also told that all I had to do is enter the SSL directives in my
httpd.conf file and provide a path to the certificate and key file and
everything would be fine.

I used the GWCSRGEN.exe utility to generate the .csr file and sent it
off for signing.

I have tried this using the following syntax in my httpd.conf file:

SSLCertificateFile \apache2\conf\public.crt
SSLCertificateKeyFile \apache2\conf\public.key
SSLCACertificateFile \apache2\conf\chain.crt

Any help would be greatly appreciated.

CL wrote:

> Our server is configured to use SSL, but it's a self signed
> certificate.  I have been asked to install a Chained root 128 bit
> Wildcard SSL certificate.  The problem I have is this... where and how
> is this done?

You need to create a CSR with consoleone, then send it off to the 
authority to gen your cert. When they return it, you import it back into 
eDirectory. What you end up with is a KMO (key material object) 
representing your woldcard cert.

> I have been told that I do not need to replace the current self signed
> certificate because that is used for server to server communication.  I
> was also told that all I had to do is enter the SSL directives in my
> httpd.conf file and provide a path to the certificate and key file and
> everything would be fine.

This is incorrect. You say you want to secure the link between browser 
and web server, correct? If so, then you DO need a real cert, unless you 
want to put up with the browser complaint that the novell cert is not 
signed by a trusted authority...

> I used the GWCSRGEN.exe utility to generate the .csr file and sent it
> off for signing.
> 
> I have tried this using the following syntax in my httpd.conf file:
> 
> SSLCertificateFile \apache2\conf\public.crt
> SSLCertificateKeyFile \apache2\conf\public.key
> SSLCACertificateFile \apache2\conf\chain.crt

gwcsrgen is ONLY used when you need to mint certificates to SSL-ize the 
links between various *groupwise* objects (eg, webaccess agent to poa, 
poa to mta, etc). It does *not* have anything to do with securing 
browser-to-web server, which is what you want.

For instructions on creating the CSR with consoleone, check here

http://www.digicert.com/csr-creation-novell-consoleone.htm

Once you get the CSR back from the authority, use these instructions to 
import it:

http://www.digicert.com/ssl-certificate-installation-novell-consoleone.htm

Once THAT is done, you simply edit the apache conf file to point the 
SecureListen directive at the name of your new KMO (certificate)

-- 
Jim
NSC SYsop