Need help rebuilding server certificate

I am having issues registering my Linux for System z servers (SLES 11 SP1) with SMT which is related to the CA Cert that was generated when SLES 11 GA was originally installed. I have over 20 servers that have the exact same CA Cert defined which I need to rebuild.

These servers have the same CA cert because of how we clone the servers from our ‘golden image’. Our process is to install SLES 11 and configure it for our environment, including the installation of WebSphere Application Server, IBM HTTP Server, and DB2 9.5. We then clone the server by copying the dasd volumes that make up the golden image to new volumes, rebuild the ssh keys, modify the hostname, and modify the network files for the new IP address, gateway, etc.

My problem is that the process to rebuild the root CA and server certificate fails. Novell support pointed me at a document to rebuild the root CA and server certificate,, but the process fails at step 13 of the “Create server certificate” section. The error pop-up contains:
[QUOTE]RuntimeException:-1:openssl command failed: Error Loading extension section v3_req_client
I tried this procedure on several servers with the same results. I checked the directory structure under /var/lib/CAM and the root CA appears to have been created. In fact, if I exit from YaST after encountering the error and go back in I can see that it created the root CA. It is just the server certificate that it won’t create.

I searched Google using words from the message and haven’t found a resolution. Is there a procedure to rebuild the server certificate without using YaST? Any other ideas? I had this problem with my SMT server (cloned using the process mentioned above) and ended up reinstalling Linux from the SLES 11 SP2 s390x dvd. I don’t have the option of reinstalling Linux on 20+ production servers.



before we get to the source of the error - I understood that you’re cloning SMT client machines, so why do you need to create additional CA certificates? All clients need the certificate of the CA that created the certificate of the SMT server - that’s a single CA certificate for all systems, one server certificate per smt server, that’s it.

Are your cloned machines SMT servers? If not, then the following is perfectly right:

No need to change that.