Active IQ Unified Manager Discussions

Install https certificate on OCUM server appliance 6.2

francoisbnc
8,347 Views

I tried to install certificated in PEM format on ocum 6.2 Appliance.

The following message appears though certificate chaine is integrated in file.

"a valid full certificate chain from the host certificate to the certificate authority's certificate must be provided."

 

I don't know what's append here and how to solve this.

 

Help appreciated.

Regards,

François

 

 

1 ACCEPTED SOLUTION

ANTONIO_CHIARIZIA_CT
8,099 Views

Francois,

 

I just ran into the same issue as you did with OCUM 6.2 and was able to resolve. Your CA probably issues certs in a .p7b format. So what you need to do is convert the file to .cer via OpenSSL. Below are the commands:

 

openssl pkcs7 -print_certs -in <path to .p7b> -out <path to .cer>

 

Once I converted the certificate, it imported successfully.

 

Thanks!

View solution in original post

5 REPLIES 5

ostiguy
8,336 Views

Hey Francois,

 

I am not a OCUM guy, but I know a thing or two about PKI.

 

That error message basically is saying that you are trying to install a host cert into a system, but that system's certificate store does NOT trust the signing authority that the host cert was signed by. Windows has its own cert store, but applications may have their own - I am an OCI SE, and OCI has its own java keystore that by default has a self-signed cert in it to support SSL.

 

You may need to first install the signing certificate authority's public cert into OCUM before the host cert.

 

Most serious certificate deployments involve an offline root authority, and the day to day certificates are signed by intermediate certificate authorities.

 

You may need to install both the intermedia CA certs, as well as the root CA cert (if the root is not already trusted), before installing the host cert.

 

Earlier this week I was helping a customer get signed host certs working in OCI - we needed to delete the self signed cert, install the root cert, 2 intermediate CA certs, and the host cert

 

Matt

francoisbnc
8,333 Views

Hello Matt,

As I can see, I don't have so many choice to install certificates as it's a appliance where I don't have root access on.

I tried to install separately, starting with root authority but same message appears 

François

2015-04-09_15-50-56.bmp

trentino123
8,287 Views

Francois,

 

You might need a certificate authority ( local ), once you provide them the existing OCUM certificate and the server name, in my case provided a full chain p7b which was later converted to PEM format and later renamed to .cer .

 

It sometimes needs troubleshooting with someone knowledgeable on the CA side.

 

Please advise.

 

Thanks.

ANTONIO_CHIARIZIA_CT
8,100 Views

Francois,

 

I just ran into the same issue as you did with OCUM 6.2 and was able to resolve. Your CA probably issues certs in a .p7b format. So what you need to do is convert the file to .cer via OpenSSL. Below are the commands:

 

openssl pkcs7 -print_certs -in <path to .p7b> -out <path to .cer>

 

Once I converted the certificate, it imported successfully.

 

Thanks!

marz
7,901 Views

And an addition to the order of the file you are importing.  The cert data must be in a specific order, what I will call "inside out".

 

<start PEM cert chain file, this line should not be included in the cert chain file>
OPM or UM host cert (PEM format)
Intermediate #1 (if present, PEM format)
Intermediate #2 (if present, PEM format)
Intermediate … (if needed, PEM format)
Root (PEM format)
<end of PEM cert chain file, this line should not be included in the cert chain file>

You will need at least two entries in the cert chain file:  OPM or UM (host) and the Root (CA cert).

 

The error message ""a valid full certificate chain from the host certificate to the certificate authority's certificate must be provided." alludes to this "inside-out" format, which is why I added the clarification above.

Public