ScorpionSting Absent Member.
Absent Member.
1224 views

Unable to Import Key, Error code:-1232

So, I'm trying to get a ECDSA intermediate CA into eDirectory, but importing the pfx's results in the -1232 error.

The root is an openssl generated one with a secp384r1 curve key and sha512

The intermediate key is also a secp384r1 curve with the sha512 cert signed by the root and pfx bundled.

openssl secp384r1 is the P-384 curve which meets the eDirectory doco requirements.

The PKI plugin is also the latest 9.0.4.20170923 with eDir 9.0.4

I see from the list of fixes that the following was apparently resolved in 9.0.2

- PKI: Server Certificate creation fails with error: -1232 (Bug 993452)

Visit my Website for links to Cool Solution articles.
Labels (1)
0 Likes
6 Replies
ScorpionSting Absent Member.
Absent Member.

Re: Unable to Import Key, Error code:-1232

Hmmm... dstrace=+PKII shows:

3662751488 PKII: [2017/10/31 12:12:51.079] Failed to verify subject name for CA with existing subject name (-1232) 

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Unable to Import Key, Error code:-1232

Got it....both the RSA subject and the ECDSA subjects must match....but openssl was logging unique subjects, so had to hack it so I could re-gen same subject with different key

Visit my Website for links to Cool Solution articles.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Unable to Import Key, Error code:-1232

Argh.... I was too slow trying to verify assumptions and in the meantime
you just fixed it.

If you can share your hacks/commands to reach the resolution that may help
a lot of folks, as you know.


--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
Knowledge Partner
Knowledge Partner

Re: Unable to Import Key, Error code:-1232

-1232 means there is a problem with the Subject Name, some kind of
mismatch, I believe:

https://www.novell.com/documentation/nwec/?page=/documentation//nwec/nwec/data/al45xx1.html

With that in mind, I am not sure why you would have a subject name
mismatch problem when importing a CA as a whole item from a PFX file.
Since this is an intermediate CA, have you tried creating a new Trusted
Root object importing the PEM file for that CA into the trusted root? I
do not know why that would help, unless eDirectory is verifying the CA for
your intermediate CA is somewhere within eDir, but then the error message
seems to be a bit off.

Have you tried this with any other certificates, maybe boring old RSA
stuff? Have you tried with an older version of eDirectory and/or iManager?

I guess I need to get something upgraded to 9.0 SP4 in my own environment
so I can tinker with this. If you want to share the commands you are
using (if applicable) to create the root and intermediate CAs, that could
lead to easier duplication for whomever.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below.

If you want to send me a private message, please let me know in the
forum as I do not use the web interface often.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Unable to Import Key, Error code:-1232

RSA is required....when importing, you have to import PKCS12 RSA with an optional PKCS12 ECDSA, so the two certs subjects' have to match, that's where the comparison is done.

Depending on how you work your openssl config file, needed to remove the entry from "database" (in my case index.txt) and change "serial" (in my case serial) file...that way both RSA and ECDSA were given same serial # as far as Root is concerned and there is no problems having the same subject.

Visit my Website for links to Cool Solution articles.
0 Likes
ScorpionSting Absent Member.
Absent Member.

Re: Unable to Import Key, Error code:-1232

Actually, found a index.txt.attr file that had:

unique_subject = yes


Trying "no" to see if I can re-sign with same subject.

Visit my Website for links to Cool Solution articles.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.