Error in creating keystore for wM 8.2 IS using Portecle

Dear All,

I am trying to configure 2 way SSL handshake between IS and external partner. We will be using web services to send receive the XML files. I have created a .der encoded private key certificate, raised the CSR and got a .crt certificate from the CA. The CRT certificate received looks like
-----BEGIN PKCS7-----

XYZwefwefwe

-----END PKCS7-----

Now, the admin guide suggested to create a keystore using tools like Portecle and OpenSSL. I am using Portecle and was able to create a keystore of type PKCS#12 and saved it [after giving a password]. Then, when i tried to import the .crt public certificate, it is showing an error stating that

ā€œOnly one certificate can be imported as a trusted certificate. The certificate file contained more than one certificate. The import cannot proceedā€.

I am assuming that the certificate provided to me by the CA is having the public certificate along with the CA root and intermediate certificates.

I am new to this SSL configuration and as per my understanding we need to create a keystore having the public key and private key stored as a pair, which i canā€™t proceed to as i am unable to import my certificate itself. I understand i am doing something wrong here and it be great if someone can guide me accordingly.

Requesting for expert opinion in how to tackle this situaction in the best way so that i can create my keystore and go ahead with the keystore alias configuration.

Thanks and cordial regards,
Kushal

Have you also tried selecting this type when you are configuring keystore?

Type JKS
Provider SUN

HTH,
RMG

Hi RMG,

Thanks for replying. Firstly wishing you a very Happy New Year.

Actually, i have not reached the stage where i can set the keystore alias. I understand that i need to create the keystore file and place my public and private key pair in the keystore. Then i need to place the keystore file in my IS folder and record the path. This path needs to be provided while configuring the keystore alias in IS>Security>keystore [Kindly correct me if i am wrong].

I am stuck up with the keystore file creation itself because i am unable to import my public certificate using Portecle due to multiple certificate chain [public key + CA Root + CA intermediate]. Please let me know if i should provide you more details which might help you to further understand my issue.

Thanks and cordial regards,
Kushal

Also, if you meant using the JKS option in Portecle while creation of the keystore,ā€¦then i have tried that as well while creating the keystore. Then, when i try to import the certificate, i still got the same error for multiple certificates.

Thanks and regards,
Kushal

Are you sure your CA cert chain is valid and no issues with your public/private key combination?

HTH,
RMG

Hi RMG,

I have checked the certificate chain. It is a valid one but the only reason why the import is failing seems to be due to 3 certificates in the same file.

The .CRT certificate when opened in textpad looks like below:-

-----BEGIN PKCS7-----

some random text

-----END PKCS7-----

Do i need to split the file to extract all the 3 certificates. I just need to make a keypair using this crt file with the public key and the .der file with my private key.

Kindly suggest.

Thanks and regards,
Kushal Bangabash

Yes you donā€™t all 3 files in the same file which you have in .p7b format and trying?

HTH,
RMG

sureā€¦let me try that and get back to you.

Thanks and regards,
Kushal

OK give it a shot:

Hi RMG,

I am able to import my certificates in keystore now. When i split the certificate file i got from my CA, i found the below certificates:-
-Root CA
-Intermediate CA
-public certificate
I have imported these 3 certificates in the order Root, intermediate and public as of now.

Next, i need to import the private certificate in the keystore to complete the JKS keystore. My private certificate is in a .der format and Portecle is not able to import it in the present format. DO i need to convert it to PKCS#12 file (*.p12 or *.pfx) ?? If so, then how do i do that ??

Reqesting your help for the same.

Thanks and regards,
Kushal

You may try this site also to convert.

Thanks RMG.

Saw the site. Itā€™s very usefull and quick but will it be safe to convert my private key using an external site. Not accusing anyone but from safety point of view, if anyone stores my private key, our transactions can be at risk.

Kindly let me know your views on this.

Thanks and regards,
Kushal Bangabash

Yes there is a added risk sharing a private key online :frowning: but few used it already and what ever works for them:

yes, thought soā€¦

Thanks for double confirming as i donā€™t want to take this risk. Iā€™ll better work on installing OpenSSL and try converting the private key manually there :slight_smile:

Will be back with updatesā€¦

Thanks and regards,
Kushal

Hi RMG,

I have now created the keystore and truststore using portecle. I had to re-request the certificates again as the private key was corrupted.

Now, since our IS will be both producing and consuming web services, i have set up the keystore and truststore aliasā€™s in IS admin console. Next, the admin guide speaks of creating an HTTPs port for incoming requests.

I need to ask if i require the CA certificates as well from our external partner to be placed in the trusstore or only the public certificate of the partner will do.

Thanks and regards,
Kushal

@KB:

You need to import the complete CA certificate chain. You need to keep [pub key + CA Certificates] in trust store.

HTH.

Thanks,
Rankesh

Also, when i try to enable my HTTPS port, i am getting the below error

Failed to start HTTPSListener@443: Permission denied (errno:13)

I have set up the the port as 443 and listener specific credentialā€¦when i check the server log, getting message

7]2014-02-12 10:03:01 EST [ISC.0006.0008I] Listener loaded certificate authorities from location trustStore_XYZ_root
[6]2014-02-12 09:59:35 EST [ISC.0006.0008I] Listener loaded certificate authorities from location trustStore_XYZ_root
[5]2014-02-12 09:57:39 EST [ISC.0006.0008I] Listener loaded certificate authorities from location trustStore_XYZ_root

Please help in understanding what i am missing here.

Thanks and regards,
Kushal

Thanks Rankesh.

You mean the same truststore in which i have kept my CA root certificate.

Also, just clarifying that i have actually placed the clientā€™s public certificate in the Security > Certificates > Configure Client Certificates section by specifying the certificate IS location, mapped to an user and set usage as ā€˜SSL authenticationā€™. If i am getting this right, then i need to get the CA certificates of my client and add it to the truststore i am maintaining to keep my CA root certificate. ??

Thanking in advance,
Kushal

@KB,

For HTTPS port, did you define the keystore alias, truststore alias[if you want client authentication on the port] and key alias?

Yes, you are correct.

Thanks,
Rankesh

Yes, i had set the listener specific details i.e keystore, key alias and the truststore. But the issue is resolved by changing the port number to a four digit numbmer.

Earlier, i was using default 443 but it was throwing the access denied error. When i tried playing with a different number, it enabled the listener port.

Not sure why it was failing for 443 only thoughā€¦??

Thanks and regards,
Kushal