2015-04-09 04:29 AM - edited 2015-04-09 04:30 AM
I tried to install certificated in PEM format on ocum 6.2 Appliance.
The following message appears though certificate chaine is integrated in file.
"a valid full certificate chain from the host certificate to the certificate authority's certificate must be provided."
I don't know what's append here and how to solve this.
Solved! SEE THE SOLUTION
2015-04-09 06:28 AM
I am not a OCUM guy, but I know a thing or two about PKI.
That error message basically is saying that you are trying to install a host cert into a system, but that system's certificate store does NOT trust the signing authority that the host cert was signed by. Windows has its own cert store, but applications may have their own - I am an OCI SE, and OCI has its own java keystore that by default has a self-signed cert in it to support SSL.
You may need to first install the signing certificate authority's public cert into OCUM before the host cert.
Most serious certificate deployments involve an offline root authority, and the day to day certificates are signed by intermediate certificate authorities.
You may need to install both the intermedia CA certs, as well as the root CA cert (if the root is not already trusted), before installing the host cert.
Earlier this week I was helping a customer get signed host certs working in OCI - we needed to delete the self signed cert, install the root cert, 2 intermediate CA certs, and the host cert
2015-04-09 06:54 AM - edited 2015-04-09 07:12 AM
As I can see, I don't have so many choice to install certificates as it's a appliance where I don't have root access on.
I tried to install separately, starting with root authority but same message appears
2015-04-16 09:43 AM
You might need a certificate authority ( local ), once you provide them the existing OCUM certificate and the server name, in my case provided a full chain p7b which was later converted to PEM format and later renamed to .cer .
It sometimes needs troubleshooting with someone knowledgeable on the CA side.
2015-07-10 06:06 AM - edited 2015-07-10 06:09 AM
I just ran into the same issue as you did with OCUM 6.2 and was able to resolve. Your CA probably issues certs in a .p7b format. So what you need to do is convert the file to .cer via OpenSSL. Below are the commands:
openssl pkcs7 -print_certs -in <path to .p7b> -out <path to .cer>
Once I converted the certificate, it imported successfully.
2015-07-21 06:59 AM - edited 2015-07-22 06:57 AM
And an addition to the order of the file you are importing. The cert data must be in a specific order, what I will call "inside out".
<start PEM cert chain file, this line should not be included in the cert chain file>
OPM or UM host cert (PEM format)
Intermediate #1 (if present, PEM format)
Intermediate #2 (if present, PEM format)
Intermediate … (if needed, PEM format)
Root (PEM format)
<end of PEM cert chain file, this line should not be included in the cert chain file>
You will need at least two entries in the cert chain file: OPM or UM (host) and the Root (CA cert).
The error message ""a valid full certificate chain from the host certificate to the certificate authority's certificate must be provided." alludes to this "inside-out" format, which is why I added the clarification above.