Active IQ Unified Manager Discussions
Active IQ Unified Manager Discussions
I tried to install certificated in PEM format on ocum 6.2 Appliance.
The following message appears though certificate chaine is integrated in file.
"a valid full certificate chain from the host certificate to the certificate authority's certificate must be provided."
I don't know what's append here and how to solve this.
Help appreciated.
Regards,
François
Solved! See The Solution
Francois,
I just ran into the same issue as you did with OCUM 6.2 and was able to resolve. Your CA probably issues certs in a .p7b format. So what you need to do is convert the file to .cer via OpenSSL. Below are the commands:
openssl pkcs7 -print_certs -in <path to .p7b> -out <path to .cer>
Once I converted the certificate, it imported successfully.
Thanks!
Hey Francois,
I am not a OCUM guy, but I know a thing or two about PKI.
That error message basically is saying that you are trying to install a host cert into a system, but that system's certificate store does NOT trust the signing authority that the host cert was signed by. Windows has its own cert store, but applications may have their own - I am an OCI SE, and OCI has its own java keystore that by default has a self-signed cert in it to support SSL.
You may need to first install the signing certificate authority's public cert into OCUM before the host cert.
Most serious certificate deployments involve an offline root authority, and the day to day certificates are signed by intermediate certificate authorities.
You may need to install both the intermedia CA certs, as well as the root CA cert (if the root is not already trusted), before installing the host cert.
Earlier this week I was helping a customer get signed host certs working in OCI - we needed to delete the self signed cert, install the root cert, 2 intermediate CA certs, and the host cert
Matt
Hello Matt,
As I can see, I don't have so many choice to install certificates as it's a appliance where I don't have root access on.
I tried to install separately, starting with root authority but same message appears
François
Francois,
You might need a certificate authority ( local ), once you provide them the existing OCUM certificate and the server name, in my case provided a full chain p7b which was later converted to PEM format and later renamed to .cer .
It sometimes needs troubleshooting with someone knowledgeable on the CA side.
Please advise.
Thanks.
Francois,
I just ran into the same issue as you did with OCUM 6.2 and was able to resolve. Your CA probably issues certs in a .p7b format. So what you need to do is convert the file to .cer via OpenSSL. Below are the commands:
openssl pkcs7 -print_certs -in <path to .p7b> -out <path to .cer>
Once I converted the certificate, it imported successfully.
Thanks!
And an addition to the order of the file you are importing. The cert data must be in a specific order, what I will call "inside out".
<start PEM cert chain file, this line should not be included in the cert chain file>
OPM or UM host cert (PEM format)
Intermediate #1 (if present, PEM format)
Intermediate #2 (if present, PEM format)
Intermediate … (if needed, PEM format)
Root (PEM format)
<end of PEM cert chain file, this line should not be included in the cert chain file>
You will need at least two entries in the cert chain file: OPM or UM (host) and the Root (CA cert).
The error message ""a valid full certificate chain from the host certificate to the certificate authority's certificate must be provided." alludes to this "inside-out" format, which is why I added the clarification above.