shaunglass
New Member.
375 views

Unable To Import Signed Certificates

Good Day,

We are having to use signed certificates as opposed to self-signed certificates. In iManager I created the .CSR and provided it to our Security Department to do the signing. At the end I was provided with :

Unsigned

$ file 01-server.csr
01-server.csr: RFC1421 Security Certificate Signing Request, ASCII text, with CRLF line terminators


Signed

$ file 02-server.pem
02-server.pem: PEM certificate


Chain & Root Certificate

$ file 03-LAWtrustPrivateTLSCA01.crt
03-LAWtrustPrivateTLSCA01.crt: PEM certificate


$ file 04-LAWtrustPrivateRootCA.der
04-LAWtrustPrivateRootCA.der: data


Now I tried to import the signed certificate but get the following error :

PKI Error -1226 A certificate was not found in the NDS tree certificate authority (CA) object or Server Certificate Object (also known as the Key Material Object).

Converted .pem to .der and same error. I then created the Trusted Roots Container and added the following there :

$ file 04-LAWtrustPrivateRootCA.der
04-LAWtrustPrivateRootCA.der: data


Tried importing the signed certificate again but the same error.

Note that I am using the latest 2.x iManager and latest plugins.

What am I missing ?

Regards

Shaun
Labels (1)
0 Likes
3 Replies
Highlighted
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Unable To Import Signed Certificates

On 02/28/2019 07:56 AM, shaunglass wrote:
>
> We are having to use signed certificates as opposed to self-signed
> certificates. In iManager I created the .CSR and provided it to our
> Security Department to do the signing. At the end I was provided with :
>
> Unsigned
>
> -$ file 01-server.csr
> 01-server.csr: RFC1421 Security Certificate Signing Request, ASCII text,
> with CRLF line terminators-
>
> Signed
>
> -$ file 02-server.pem
> 02-server.pem: PEM certificate-


The 'file' command is good at some things, but it probably will not tell
you if this file is just the one cert, or if it includes the full chain.
It might help to actually see the file, or at least understand how many
certs are in there.

> Chain & Root Certificate
>
> -$ file 03-LAWtrustPrivateTLSCA01.crt
> 03-LAWtrustPrivateTLSCA01.crt: PEM certificate-
>
> -$ file 04-LAWtrustPrivateRootCA.der
> 04-LAWtrustPrivateRootCA.der: data-


Having PEM and DER seems odd; just go with PEM everywhere, because DER is
silly. 🙂 The 'openssl' command is an easy way to convert from one to
another. This is an untested freehand version that I think will work for
you, but feel free to verify w/x509 manpage, Google, etc.:


openssl x509 -in 04-LAWtrustPrivateRootCA.der -inform DER -out
04-LAWtrustPrivateRootCA.pem -outform PEM


Once you have all three PEM bits (cert, intermediate, and CA) you can put
them all together (open text editor, paste in cert, then intermediate,
then root cert PEM data) and save that out to a new thing that can be
imported via iManager.

> Now I tried to import the signed certificate but get the following error
> :
> -PKI Error -1226 A certificate was not found in the NDS tree certificate
> authority (CA) object or Server Certificate Object (also known as the
> Key Material Object).-
>
> Converted .pem to .der and same error. I then created the Trusted Roots
> Container and added the following there :
>
> -$ file 04-LAWtrustPrivateRootCA.der
> 04-LAWtrustPrivateRootCA.der: data-


The format does not matter; a PEM and DER file are the same thing, but
just different formats. Because PEM is easier to work with, I recommend
using that over DER, especially when trying to create a single file with
the whole chain, which I do not think you can do with DER like you can
with PEM. PEM is just base64-encoded data, basically, which is
wonderfully easy to manage.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
shaunglass
New Member.

Re: Unable To Import Signed Certificates

ab;2496152 wrote:
On 02/28/2019 07:56 AM, shaunglass wrote:
>
> We are having to use signed certificates as opposed to self-signed
> certificates. In iManager I created the .CSR and provided it to our
> Security Department to do the signing. At the end I was provided with :
>
> Unsigned
>
> -$ file 01-server.csr
> 01-server.csr: RFC1421 Security Certificate Signing Request, ASCII text,
> with CRLF line terminators-
>
> Signed
>
> -$ file 02-server.pem
> 02-server.pem: PEM certificate-


The 'file' command is good at some things, but it probably will not tell
you if this file is just the one cert, or if it includes the full chain.
It might help to actually see the file, or at least understand how many
certs are in there.

> Chain & Root Certificate
>
> -$ file 03-LAWtrustPrivateTLSCA01.crt
> 03-LAWtrustPrivateTLSCA01.crt: PEM certificate-
>
> -$ file 04-LAWtrustPrivateRootCA.der
> 04-LAWtrustPrivateRootCA.der: data-


Having PEM and DER seems odd; just go with PEM everywhere, because DER is
silly. 🙂 The 'openssl' command is an easy way to convert from one to
another. This is an untested freehand version that I think will work for
you, but feel free to verify w/x509 manpage, Google, etc.:


openssl x509 -in 04-LAWtrustPrivateRootCA.der -inform DER -out
04-LAWtrustPrivateRootCA.pem -outform PEM


Once you have all three PEM bits (cert, intermediate, and CA) you can put
them all together (open text editor, paste in cert, then intermediate,
then root cert PEM data) and save that out to a new thing that can be
imported via iManager.

> Now I tried to import the signed certificate but get the following error
> :
> -PKI Error -1226 A certificate was not found in the NDS tree certificate
> authority (CA) object or Server Certificate Object (also known as the
> Key Material Object).-
>
> Converted .pem to .der and same error. I then created the Trusted Roots
> Container and added the following there :
>
> -$ file 04-LAWtrustPrivateRootCA.der
> 04-LAWtrustPrivateRootCA.der: data-


The format does not matter; a PEM and DER file are the same thing, but
just different formats. Because PEM is easier to work with, I recommend
using that over DER, especially when trying to create a single file with
the whole chain, which I do not think you can do with DER like you can
with PEM. PEM is just base64-encoded data, basically, which is
wonderfully easy to manage.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.


Morning,

Well I have requested certificates in a .pem format and still no success. Still the same error ... even when putting into the same file :

PKI Error -1226 A certificate was not found in the NDS tree certificate authority (CA) object or Server Certificate Object (also known as the Key Material Object).

iManager Is up to date as well as plugins. I even tried working with the people that are responsible for signing the certificates. I have basically followed this guide :

https://support.microfocus.com/kb/doc.php?id=3033173

I am thinking that maybe I should have done something before the steps in the article above. By the way I do have a Trusted Roots container and even tried with the Root and Chain certificates from organization that signs certificates imported there.

Regards
0 Likes
Knowledge Partner Knowledge Partner
Knowledge Partner

Re: Unable To Import Signed Certificates

shaunglass;2496148 wrote:
Good Day,

We are having to use signed certificates as opposed to self-signed certificates. In iManager I created the .CSR and provided it to our Security Department to do the signing. At the end I was provided with :

Unsigned

$ file 01-server.csr
01-server.csr: RFC1421 Security Certificate Signing Request, ASCII text, with CRLF line terminators


Signed

$ file 02-server.pem
02-server.pem: PEM certificate


Chain & Root Certificate

$ file 03-LAWtrustPrivateTLSCA01.crt
03-LAWtrustPrivateTLSCA01.crt: PEM certificate


$ file 04-LAWtrustPrivateRootCA.der
04-LAWtrustPrivateRootCA.der: data


Now I tried to import the signed certificate but get the following error :

PKI Error -1226 A certificate was not found in the NDS tree certificate authority (CA) object or Server Certificate Object (also known as the Key Material Object).

Converted .pem to .der and same error. I then created the Trusted Roots Container and added the following there :

$ file 04-LAWtrustPrivateRootCA.der
04-LAWtrustPrivateRootCA.der: data


Tried importing the signed certificate again but the same error.

Note that I am using the latest 2.x iManager and latest plugins.

What am I missing ?

Regards

Shaun


Well, for starters, the "latest" iManager is 3.x, not 2.x. Shouldn't matter for this.

I don't see that you're ever building an importable certificate file. So:

1. Make a CSR request details file like:


[req]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn

[ dn ]
C=US
ST=Illinois
L=DeKalb
O=MyCompany, Inc.
OU=IT
CN = HOSTNAME

[ req_ext ]
subjectAltName = @alt_names

[ alt_names ]
DNS.1 = HOSTNAME



2. Get your private key (cert.key) and CSR (cert.csr) with something like:


openssl req -new -sha256 -nodes -out cert.csr -newkey rsa:4096 -keyout cert.key -config <( sed "s/HOSTNAME/yourhost.yourcompany.com/" csr_details.txt )


3. Send the CSR off to be signed. Get your signed reply in PEM format if possible.

4. Combine the PEM format certificate, with the intermediate and root signing certs.


cat cert.pem Intermediate-CA Root-CA > cert.crt


5. Build a PFX:


openssl pkcs12 -export -out cert.pfx -inkey cert.key -in cert.crt -password pass:secret


Now go to iManager, find the "Create Server Certificate" tasks, and on the first page, choose the "import" option. Pick a server object, and give it a name. Follow the prompts from there.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.