Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Marcus Tornberg Super Contributor.
Super Contributor.
1220 views

SMS gateway certificate

Hi!

We are using SSPR to send SMS tokens and new passwords using a SMS Gateway.

Part of configuring this is to import the certificate from the SMS Gateway. In our case, this process imports the following certificates:

Certificate structure:
DST Root CA X3
-- Let's encrypt Authority X3 -- THIS IS IMPORTED
---- api.obfuscated.com -- THIS IS IMPORTED

It all works fine, but the problem I have is that the api.obfuscated.com certificate has a short validity period, it expires every 3 months and we don't know when the service provider renews the certificate.

Would it not be sufficient to import the "Let's encrypt Authority X3" certificate? That one is valid for 10 years.

Does anyone know how to work with this to ensure SSPR service reliability in the SMS gateway?

Best Regards
Marcus
0 Likes
4 Replies
Knowledge Partner
Knowledge Partner

Re: SMS gateway certificate

On 11/21/2018 03:14 AM, marcus jonsson wrote:
>
> We are using SSPR to send SMS tokens and new passwords using a SMS
> Gateway.
>
> Part of configuring this is to import the certificate from the SMS
> Gateway. In our case, this process imports the following certificates:
>
> Certificate structure:
> DST Root CA X3
> -- Let's encrypt Authority X3 -- THIS IS IMPORTED
> ---- api.obfuscated.com -- THIS IS IMPORTED


You should never import the end certificate, in your case
api.obfuscated.com, for any TLS/SSL service ever, at all, unless you are
using self-signed certificates (you are not) and know what you are doing
with them.

> It all works fine, but the problem I have is that the api.obfuscated.com
> certificate has a short validity period, it expires every 3 months and
> we don't know when the service provider renews the certificate.


That's part of the point of Let's Encrypt certs; they are meant to be
short-lived so if they are compromised they do not matter much, but the CA
allows for simple, even automatic, generation of new short-lived certificates.

> Would it not be sufficient to import the "Let's encrypt Authority X3"
> certificate? That one is valid for 10 years.


Yes, this is what you should always do, and usually one would import all
of the parent certs, assuming the existing truststore does not come with
those trusted already (older things may not yet, but newer things do). By
virtue of trusting the certificate authority (CA), your services trust all
certificates minted from that CA (unless revoked, used for the wrong
purpose, invalid time-wise/expired, etc.) which is why you should only
import the CA and not the endpoint certificate.

> Does anyone know how to work with this to ensure SSPR service
> reliability in the SMS gateway?


SSPR is just an app running in Apache Tomcat, and every time I have set it
up I have only done so trusting CAs, not endpoint certs.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: SMS gateway certificate

ab;2491288 wrote:
On 11/21/2018 03:14 AM, marcus jonsson wrote:
>
> We are using SSPR to send SMS tokens and new passwords using a SMS
> Gateway.
>
> Part of configuring this is to import the certificate from the SMS
> Gateway. In our case, this process imports the following certificates:
>
> Certificate structure:
> DST Root CA X3
> -- Let's encrypt Authority X3 -- THIS IS IMPORTED
> ---- api.obfuscated.com -- THIS IS IMPORTED


You should never import the end certificate, in your case
api.obfuscated.com, for any TLS/SSL service ever, at all, unless you are
using self-signed certificates (you are not) and know what you are doing
with them.

> It all works fine, but the problem I have is that the api.obfuscated.com
> certificate has a short validity period, it expires every 3 months and
> we don't know when the service provider renews the certificate.


That's part of the point of Let's Encrypt certs; they are meant to be
short-lived so if they are compromised they do not matter much, but the CA
allows for simple, even automatic, generation of new short-lived certificates.

> Would it not be sufficient to import the "Let's encrypt Authority X3"
> certificate? That one is valid for 10 years.


Yes, this is what you should always do, and usually one would import all
of the parent certs, assuming the existing truststore does not come with
those trusted already (older things may not yet, but newer things do). By
virtue of trusting the certificate authority (CA), your services trust all
certificates minted from that CA (unless revoked, used for the wrong
purpose, invalid time-wise/expired, etc.) which is why you should only
import the CA and not the endpoint certificate.

> Does anyone know how to work with this to ensure SSPR service
> reliability in the SMS gateway?


SSPR is just an app running in Apache Tomcat, and every time I have set it
up I have only done so trusting CAs, not endpoint certs.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


Hi AB!

I agree with everything you write. Just to clarify, I have not manually imported these certs, that is done automatically when I click "Import certificate" in the SSPR UI.

But based on your comments I will try and import the CA and intermeddiate (not endpoint) cert to tomcat certificate store and check if it works without using the "Import certificate" in the SSPR UI.

Thanks for helping me out!

Best Regards
Marcus
0 Likes
Knowledge Partner
Knowledge Partner

Re: SMS gateway certificate

On 11/21/2018 05:46 AM, marcus jonsson wrote:
>
> I agree with everything you write. Just to clarify, I have not manually
> imported these certs, that is done automatically when I click "Import
> certificate" in the SSPR UI.


I have not used that import option for SMS things, so perhaps there is a
bug there, but it's a little one; imported expired certs are meaningless
so long as the CAs are trusted. I have only worked with the LDAP import
option and, while I think it shows the endpoing cert, my understanding is
that it would always import the CA only. With that said, my notes
indicate that I manually import into a truststore every time regardless,
probably as a practice from before the import option existed.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Marcus Tornberg Super Contributor.
Super Contributor.

Re: SMS gateway certificate

ab;2491293 wrote:
On 11/21/2018 05:46 AM, marcus jonsson wrote:
>
> I agree with everything you write. Just to clarify, I have not manually
> imported these certs, that is done automatically when I click "Import
> certificate" in the SSPR UI.


I have not used that import option for SMS things, so perhaps there is a
bug there, but it's a little one; imported expired certs are meaningless
so long as the CAs are trusted. I have only worked with the LDAP import
option and, while I think it shows the endpoing cert, my understanding is
that it would always import the CA only. With that said, my notes
indicate that I manually import into a truststore every time regardless,
probably as a practice from before the import option existed.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


Hi.

I tried some ideas, but cant make it work.

Where do you suggest I import the CA and intermediate certificates? I tried to manually edit SSPRConfiguration.xml and removing only the endpoint certificate, but this does not work. I also tried to add these two certificates to the JRE cacerts, but the result is the same.

When I try to send I get the error message:
unable to send message: 5078 ERROR_SMS_SEND_ERROR (error while sending SMS, discarding message: 5057 ERROR_SERVICE_UNREACHABLE (error while making http request: java.security.cert.CertificateException: server certificate {subject=CN=api.obfuscated.com} does not match a certificate in the configuration trust store.

Do you have any guidance or ideas for me?

Best regards
Marcus
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.