[ngw] Admin service SSL certificate questions

David Gerisch DGerisch at co.tulare.ca.us
Thu Jun 22 17:31:25 UTC 2017


I forgot to mention that the command to check what the server sees is an
openssl command.

openssl s_client -host <insert hostname here> -port 9710

After it goes through checking, and reporting what SSL certificates are
being used, you will have to hit Control-C to break out.
>>> "David Gerisch" <DGerisch at co.tulare.ca.us> 6/22/2017 10:25 AM >>>
I'm trying to do some scripting against the GroupWise Administration
Service, and I'm running into SSL errors, because my certificates
aren't
configured correctly (apparently).  Two questions:

Question 1) If the primary domain admin service certificate has a
common name of CN=TULARE_COUNTY-CA but my post office server admin
service certificate says CN=INSTALL-CA - is that probably the source
of
my problem?  The post office server says the certificate chain
includes

Certificate chain
0 s:/O=INSTALL/CN=INSTALL-SVC
   i:/O=INSTALL/OU=GROUPWISE/OU=ADMIN/CN=INSTALL-CA
1 s:/O=INSTALL/OU=GROUPWISE/OU=ADMIN/CN=INSTALL-CA
   i:/O=INSTALL/OU=GROUPWISE/OU=ADMIN/CN=INSTALL-CA

and the primary domain admin service certificate is none of those. 
The
problem that I'm getting is that during the SSL negotiation phase of
connecting to the admin service on the local machine, I get
"certificate
verify failed".

Question 2) It doesn't look very hard to replace the certificates -
but
what are the implications / side effects?

It looks like all I have to do is run gwadminutil-certinst per the
documentation.  But I don't know if that's going to cause any
disruption
or need any sort of service restarts or such.  Does it affect the way
clients connect to the POA?

Thanks!

David Gerisch



More information about the ngw mailing list