Effective December 3, NetApp adopts Microsoft’s Business-to-Customer (B2C) identity management to simplify and provide secure access to NetApp resources.
For accounts that did not pre-register (prior to Dec 3), access to your NetApp data may take up to 1 hour as your legacy NSS ID is synchronized to the new B2C identity.
To learn more, read the FAQ and watch the video.
Need assistance? Complete this form and select “Registration Issue” as the Feedback Category.

Active IQ Unified Manager Discussions

Install https certificate on OCUM server appliance 6.2

francoisbnc

I tried to install certificated in PEM format on ocum 6.2 Appliance.

The following message appears though certificate chaine is integrated in file.

"a valid full certificate chain from the host certificate to the certificate authority's certificate must be provided."

 

I don't know what's append here and how to solve this.

 

Help appreciated.

Regards,

François

 

 

1 ACCEPTED SOLUTION

Francois,

 

I just ran into the same issue as you did with OCUM 6.2 and was able to resolve. Your CA probably issues certs in a .p7b format. So what you need to do is convert the file to .cer via OpenSSL. Below are the commands:

 

openssl pkcs7 -print_certs -in <path to .p7b> -out <path to .cer>

 

Once I converted the certificate, it imported successfully.

 

Thanks!

View solution in original post

5 REPLIES 5

ostiguy

Hey Francois,

 

I am not a OCUM guy, but I know a thing or two about PKI.

 

That error message basically is saying that you are trying to install a host cert into a system, but that system's certificate store does NOT trust the signing authority that the host cert was signed by. Windows has its own cert store, but applications may have their own - I am an OCI SE, and OCI has its own java keystore that by default has a self-signed cert in it to support SSL.

 

You may need to first install the signing certificate authority's public cert into OCUM before the host cert.

 

Most serious certificate deployments involve an offline root authority, and the day to day certificates are signed by intermediate certificate authorities.

 

You may need to install both the intermedia CA certs, as well as the root CA cert (if the root is not already trusted), before installing the host cert.

 

Earlier this week I was helping a customer get signed host certs working in OCI - we needed to delete the self signed cert, install the root cert, 2 intermediate CA certs, and the host cert

 

Matt

francoisbnc

Hello Matt,

As I can see, I don't have so many choice to install certificates as it's a appliance where I don't have root access on.

I tried to install separately, starting with root authority but same message appears 

François

2015-04-09_15-50-56.bmp

trentino123

Francois,

 

You might need a certificate authority ( local ), once you provide them the existing OCUM certificate and the server name, in my case provided a full chain p7b which was later converted to PEM format and later renamed to .cer .

 

It sometimes needs troubleshooting with someone knowledgeable on the CA side.

 

Please advise.

 

Thanks.

Francois,

 

I just ran into the same issue as you did with OCUM 6.2 and was able to resolve. Your CA probably issues certs in a .p7b format. So what you need to do is convert the file to .cer via OpenSSL. Below are the commands:

 

openssl pkcs7 -print_certs -in <path to .p7b> -out <path to .cer>

 

Once I converted the certificate, it imported successfully.

 

Thanks!

View solution in original post

marz

And an addition to the order of the file you are importing.  The cert data must be in a specific order, what I will call "inside out".

 

<start PEM cert chain file, this line should not be included in the cert chain file>
OPM or UM host cert (PEM format)
Intermediate #1 (if present, PEM format)
Intermediate #2 (if present, PEM format)
Intermediate … (if needed, PEM format)
Root (PEM format)
<end of PEM cert chain file, this line should not be included in the cert chain file>

You will need at least two entries in the cert chain file:  OPM or UM (host) and the Root (CA cert).

 

The error message ""a valid full certificate chain from the host certificate to the certificate authority's certificate must be provided." alludes to this "inside-out" format, which is why I added the clarification above.

Announcements
NetApp on Discord Image

We're on Discord, are you?

Live Chat, Watch Parties, and More!

Explore Banner

Meet Explore, NetApp’s digital sales platform

Engage digitally throughout the sales process, from product discovery to configuration, and handle all your post-purchase needs.

NetApp Insights to Action
I2A Banner
Public