Mail & Cross Certificate

hcl-bot · November 9, 2007, 8:09am

Hi everyone.

We need to migrate our servers and the domains are going to change.

I have set up directory assistance between them and also tried to cross certificate the servers. The problem here is that we don´t have the password from one of the parent cert.id (Of course the old one, because we changed owners)

What I do have is the password from one of the branchs OU which we use to cert users and thats the cert.id I used.

I know that cross certifying an OU ID with a parent ID has a couple of problems but when I chose the OU to be certified, I chose the parent one and it seems fine in the certbyname and certbyroot views in the names.

The new parent cert ID appears at the same level as the other parent ID.

I have tried to make an updall of these views. I also modified the ACL on each server.

The problem is that if I use an ID of the old server I have access to the new servers. If I tried to do it with a new user ID, i get an error that says it can find the public key.

I checked the public ID from the ID and the nab and they are the same (In the secondary NAB actually because the user from the new domain it is on the secondary nab in the old server)

What I was able to see is that the old ID has the ntoes cross for the new domain, but the new ID only has the ones from the new domain. It did not update the ID with the old domain.

I believe that is the problem. How could I add it to the ID to test it? I saw that it has to do something with ‘Cross Certify Key’ but I dont wanna mess up.

Thanks

Regards

hcl-bot · November 11, 2007, 8:02pm

Subject: Mail & Cross Certificate

If you are having issues with cross certificates and you plan to do a full domain migration, you have only touched the tip of the iceberg. A domain migration is not a simple undertaking and quite frankly, cross certification of the O’s is necessary. Otherwise each of the OU’s that people and servers are registared with must be cross certified with the new O. I would highly suggest checking out http://www.binarytree.com/domains for information on their domain migration tool.

hcl-bot · November 12, 2007, 6:40am

Subject: RE: Mail & Cross Certificate

Hi

Thanks for your response. I see your point and I am sure that since we don´t have the password from that cert.id, we are going to have a lot of issues.

Would you says that if I cross certify each OU with my new O that could help? I don`t mind doing it since servers and users are belong to the same OU, which is the one I have the password. And to be honest, I believe thats what I did.

I believe that there is something odd with my local names.nsf which don`t recognize the new certificate.

I am going to test that link out. I heard of them before.

Thanks