In external application “KeyStore Explorer” I have create a pfx file containing a sign and a crypt certificate just like we normally do. The new thing this time is, that the CA/root certificate used is now 4096 bytes whereas it was previously 2048 bytes.
Error message is:
"Error: cannot load the keystore for alias ‘xx’. Details: attempt to initialize keystore using location(config\security\keystore\danskebank-live_v2.pfx) failed.
Question: Does webMethods 10.3 support certificates of 4096 bytes and where can I see if it does?
Question: Do you have any idea why this fails? I am pretty sure, that the provided password is correct and that the location specified is also correct and the .pfx file looks also correct in KeyStore Explorer.
I really hope this can be solved…
we have confirmed that it is not the issue with the key of length 4096 bits.
might it be that the IS is not able to detect which one of the two certificates (sign or crypt) should be used for the Keystore?
Best Practise in my opinion is, to collect all Root and Intermediate CAs in a separate truststore jks-file and one end certificate with its private key in a dedicated P12-Keystore-File each.
After loading all these stores under Keystore section you can the map the certificates under the Certificates section to the designated purposes.
See IS Administrators Guide for further informations.
Thanks for the reply. However, it has been working with this setup before and also currently in our prod environment:
kind regards Mikael
in this case you should try to increase log level to see why the IS is unable to load the keystore.
Hopefully you will get a more detailed error message then.
Increasing the log level unfortunately gave me nothing extra to go by. Any other suggestions?
Kind regards and have a nice weekend
If increasing the logging level for facility 139 Keystore to trace hasn’t shed any light in the server log, Then I would suggest looking into the Error logs at Admin UI->Logs->Error Log with the stacktrace expanded to give you more hints.
It could be a file system related issue as well.
thanks for your answer. Maybe I set up the trace logging wrongly. Would it be possible for you to specify, exactly how I should set up the extended logging to retrieve the details error message when I try to create a new keystore Alias?
Kind regards Mikael
It turned out, that the reason was, that we were using a version of Keystore Explorer which was not compatible with webMethods 10.3 seemingly. Using Keystore Explorer version 5.44 together with java version jdk 8. 261 did the trick