terça-feira, 22 de março de 2016

Usando certificados válidos no iKeyman

Para você utilizar um certificado válido no iKeyman, temos alguns passos importantes. No link abaixo tem um material interessante que me ajudou aqui na COPEL.


 was fight­ing with the right way to add a recent Verisign cer­tifi­cate to a key­store for the IBM HTTP Server (IHS). I have used the ikey­man util­ity on Solaris.

The prob­lem indi­ca­tor was the error mes­sage “SSL0208E: SSL Hand­shake Failed, Cer­tifi­cate val­i­da­tion error” in the SSL log of IHS.

The IBM web­sites where not really help­ful to track down the prob­lem (the miss­ing stuff). The Verisign instruc­tions did not lead to a work­ing solu­tion either.

What was done before: the Verisign Inter­me­di­ate Cer­tifi­cates where imported as “Signer Cer­tifi­cates”, and the cer­tifi­cate for the web­server was imported within “Per­sonal Cer­tifi­cates”. With­out the signer cer­tifi­cates the per­sonal cer­tifi­cate would not import due to an inter­me­di­ate cer­tifi­cated miss­ing (no valid trust-chain).

What I did to resolve the problem:

  •  I removed all Verisign certificates.
  •  I added the Verisign Root Cer­tifi­cate and the Verisign Inter­me­di­ate Cer­tifi­cate A as a signer cer­tifi­cate (use the “Add” but­ton). I also tried to add the Verisign Inter­me­di­ate Cer­tifi­cate B, but it com­plained that some part of it was already there as part of the Inter­me­di­ate Cer­tifi­cate A. I skipped this part.
  •  Then I con­verted the server cer­tifi­cate and key to a PKS12 file via “openssl pkcs12 –export –in server-cert.arm –out cert-for-ihs.p12 –inkey server-key.arm –name name_for_cert_in_ihs”.
  • After that I imported the cert-for-ihs.p12 as a “Per­sonal Cer­tifi­cate”. The import dia­log offers 3 items to import. I selected the “name_for_cert_in_ihs” and the one con­tain­ing “cn=verisign class 3 pub­lic pri­mary cer­ti­fi­ca­tion author­ity — g5” (when I selected the 3rd one too, it com­plained that a part of it was already imported with a dif­fer­ent name).

With this mod­i­fied key­store in place, I just had to select the cer­tifi­cate via “SSLServerCert name_for_cert_in_ihs” in the IHS con­fig and the prob­lem was fixed. 

My Badges