I am trying to configure 2 way SSL handshake between IS and external partner. We will be using web services to send receive the XML files. I have created a .der encoded private key certificate, raised the CSR and got a .crt certificate from the CA. The CRT certificate received looks like
-----BEGIN PKCS7-----
XYZwefwefwe
-----END PKCS7-----
Now, the admin guide suggested to create a keystore using tools like Portecle and OpenSSL. I am using Portecle and was able to create a keystore of type PKCS#12 and saved it [after giving a password]. Then, when i tried to import the .crt public certificate, it is showing an error stating that
āOnly one certificate can be imported as a trusted certificate. The certificate file contained more than one certificate. The import cannot proceedā.
I am assuming that the certificate provided to me by the CA is having the public certificate along with the CA root and intermediate certificates.
I am new to this SSL configuration and as per my understanding we need to create a keystore having the public key and private key stored as a pair, which i canāt proceed to as i am unable to import my certificate itself. I understand i am doing something wrong here and it be great if someone can guide me accordingly.
Requesting for expert opinion in how to tackle this situaction in the best way so that i can create my keystore and go ahead with the keystore alias configuration.
Thanks for replying. Firstly wishing you a very Happy New Year.
Actually, i have not reached the stage where i can set the keystore alias. I understand that i need to create the keystore file and place my public and private key pair in the keystore. Then i need to place the keystore file in my IS folder and record the path. This path needs to be provided while configuring the keystore alias in IS>Security>keystore [Kindly correct me if i am wrong].
I am stuck up with the keystore file creation itself because i am unable to import my public certificate using Portecle due to multiple certificate chain [public key + CA Root + CA intermediate]. Please let me know if i should provide you more details which might help you to further understand my issue.
Also, if you meant using the JKS option in Portecle while creation of the keystore,ā¦then i have tried that as well while creating the keystore. Then, when i try to import the certificate, i still got the same error for multiple certificates.
I have checked the certificate chain. It is a valid one but the only reason why the import is failing seems to be due to 3 certificates in the same file.
The .CRT certificate when opened in textpad looks like below:-
-----BEGIN PKCS7-----
some random text
-----END PKCS7-----
Do i need to split the file to extract all the 3 certificates. I just need to make a keypair using this crt file with the public key and the .der file with my private key.
I am able to import my certificates in keystore now. When i split the certificate file i got from my CA, i found the below certificates:-
-Root CA
-Intermediate CA
-public certificate
I have imported these 3 certificates in the order Root, intermediate and public as of now.
Next, i need to import the private certificate in the keystore to complete the JKS keystore. My private certificate is in a .der format and Portecle is not able to import it in the present format. DO i need to convert it to PKCS#12 file (*.p12 or *.pfx) ?? If so, then how do i do that ??
Saw the site. Itās very usefull and quick but will it be safe to convert my private key using an external site. Not accusing anyone but from safety point of view, if anyone stores my private key, our transactions can be at risk.
Thanks for double confirming as i donāt want to take this risk. Iāll better work on installing OpenSSL and try converting the private key manually there
I have now created the keystore and truststore using portecle. I had to re-request the certificates again as the private key was corrupted.
Now, since our IS will be both producing and consuming web services, i have set up the keystore and truststore aliasās in IS admin console. Next, the admin guide speaks of creating an HTTPs port for incoming requests.
I need to ask if i require the CA certificates as well from our external partner to be placed in the trusstore or only the public certificate of the partner will do.
You mean the same truststore in which i have kept my CA root certificate.
Also, just clarifying that i have actually placed the clientās public certificate in the Security > Certificates > Configure Client Certificates section by specifying the certificate IS location, mapped to an user and set usage as āSSL authenticationā. If i am getting this right, then i need to get the CA certificates of my client and add it to the truststore i am maintaining to keep my CA root certificate. ??
Yes, i had set the listener specific details i.e keystore, key alias and the truststore. But the issue is resolved by changing the port number to a four digit numbmer.
Earlier, i was using default 443 but it was throwing the access denied error. When i tried playing with a different number, it enabled the listener port.
Not sure why it was failing for 443 only thoughā¦??
but few used it already and what ever works for them: