Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
Mike Makar Absent Member.
Absent Member.
534 views

ca signed cert issue

Has any worked with a ca signed certificate for ucmdb? We have the ucmdb fully hardened but in working with a ca signed cert generated from our organization we're still receiving certificate errors when we import it into our keystore and truststore. Has anyone gotten a ca signed cert to work in the past? Thanks in advance.

 

 

P.S. This thread has been moved from Application Perf Mgmt (BAC / BSM) Support and News Forum to CMS and Discovery Support and News Forum. - Hp forum MOderator

Tags (1)
0 Likes
6 Replies
Chris Bartram Absent Member.
Absent Member.

Re: ca signed cert issue

Just went through the painful process of getting a CA signed cert installed in BAC. Turns out I used the java keytool (the only key app I found on the box) to generate the certificate request and got back a signed cert that the Windows Apache server on the box didn't understand.
One of my coworkers pointed me to a wonderful freeware tool called "KeyStore" which allowed me to extract the encrypted private key to PKCS#8 format and unencrypt it at the same time; the resulting exported private key was ok with Apache and https now works fine. Not sure what web server uCMDB uses but hopefully that's of some help.

Link to keytool download: http://www.lazgosoftware.com/kse/index.html
(no relation but I'm definitely keeping a copy of that little gem handy for future use.)
0 Likes
Mike Makar Absent Member.
Absent Member.

Re: ca signed cert issue

That's great info Chris, thanks. I too am going through that process, and I already got the ca signed cert back, but from your comments it looks like I need to export the private key to a PCKS format. My question for you is do I import that PCKS formatted file into the keystore, and then it should work? I imported the ca signed cert into the keystore. Thanks for the help.
0 Likes
Chris Bartram Absent Member.
Absent Member.

Re: ca signed cert issue

Depends on the app that's trying to read the cert. If it's a java-based app (tomcat uses this typically) then you can probably use the standard signed cert you got back.

If it's an apache web server they appear to want the unencrypted/exported key placed in the appropriate directory and your httpd.conf or ssl.conf file should reference that file name as the signed certificate file.
0 Likes
Mike Makar Absent Member.
Absent Member.

Re: ca signed cert issue

So after doing more research, it looks like what I need to do is import the CA reply into the keystore using the same alias command I used to create the original private key that I used to create the certificate request. Only problem now is when I try to import the cert from the CA I'm getting an error saying "failed to establish chain from reply" so I'm assuming something is wrong with the cert they sent us. Have you seen this occur at all?
0 Likes
Chris Bartram Absent Member.
Absent Member.

Re: ca signed cert issue

Certificates require a chain of trust; you may need to also import the root certificates and intermediate certificates (i.e. your server cert is issued by acme.com and acme.com is trusted by thawte - then you'd need the signed cert by acme.com and root certs for thawte).

When I got my last signed cert the ca officer was nice enough to include the other cert packages as well.

Hope that helps- points appreciated 🙂
-Chris
0 Likes
Mike Makar Absent Member.
Absent Member.

Re: ca signed cert issue

Yep you're right, I needed to import the root, intermediary and CA reply cert into the keystore. Which I tried once and it didn't work, so I found an article that said I needed to convert the plain text .cer files into X.509 binary encoded DER files. Once I converted them I was able to import the root and intermediary into the keystore and then import the ca reply into the existing alias. Once I did all that it worked fine. Last step was to copy the ca reply over to the ddm probe and add it to the truststore. Now I can access ucmdb without getting the error and the probe and ucmdb also talk over ssl. Thanks again for your help.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.