Symantec Access Management

We are trying to import a certificate in SiteMinder Certificate Data Store via Adminui-X509 Certificate Management.

Upon importing it gives an error as,

1. Error reading private key file

2. This is an expired certificate and cannot be added to the Certificate Data Store.

1st error comes when we are importing it as a separate key and cert file.

2nd error comes when we are importing it in p12 format.

This certificate is not expired and is in use elsewhere as well, without any error.

e.g. We are using it as an SSL certificate and there we have no errors in SSL transactions.

What could be the possible reason for this error ? Please suggest.

Regards,

Anurag

Hi Anurag,

For the expired certificate error, can you validate your p12 certificate using key store and confirm it's not expired ?

C:\Program Files\Java\jdk1.8.0_131\bin> keytool -list -keystore ujwol.pfx -storepass siteminder -storetype PKCS12 -v
Keystore type: PKCS12
Keystore provider: SunJSSE
Your keystore contains 1 entry
Alias name: le-eeee6be7-3d48-498f-8888-43f30f7adef7
Creation date: 07/09/2017
Entry type: PrivateKeyEntry
Certificate chain length: 2
Certificate[1]:
Owner: EMAILADDRESS=sgdgs@ca.com, CN=Ujwol Shrestha, CN=Users, DC=ad12, DC=lab
Issuer: CN=ad12-SHRUJ01-I2077-CA, DC=ad12, DC=lab
Serial number: 1400000016c093d34009ff8787000000000016
Valid from: Fri May 05 16:55:00 AEST 2017 until: Sat May 05 16:55:00 AEST 2018
Certificate fingerprints:
 MD5: B6:6A:AF:16:9B:8B:8C:CE:7C:F9:A8:22:56:9E:41:0B
 SHA1: DB:AC:9D:2B:21:D7:AB:C2:6B:8B:80:AB:6F:8D:AA:67:BF:EF:20:65
 SHA256: 15:A2:2E:DE:8E:03:97:BC:E6:67:3D:0F:AF:21:A1:3C:8A:FC:E6:CB:EB:6C:E9:11:A4:16:4F:66:28:3A:CC:47
 Signature algorithm name: SHA1withRSA
 Version: 3
Extensions:

Regards,

Ujwol

Hi Ujwol,

I ran this command and noticed the output as below (in the end).

Keystore contains 1 entry with Certificate chain length: 2.

Certificate 1 is not expired but Certificate 2 is in expired state.

So this looks like to be the issue, right ?

I have few queries from PKI perspective, if you can please help.

Will this expired certificate in the chain make this certificate completely unusable ?

Is there a way to remove this expired certificate chain and still have this certificate (Public/Private Key) valid and then import it in SiteMinder ?

Also, a brief history of this certificate import.

This certificate was originally in JKS format. From where I imported it to PKCS12 format using Keytool.

I just imported the specific alias which I needed.

keytool -importkeystore -alias TestCert -srckeystore Test.jks -destkeystore Test.p12 -destkeypass password -deststoretype PKCS12

Output:

 

Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

Alias name: ####
Creation date: ####
Entry type: PrivateKeyEntry
Certificate chain length: 2

 

Certificate[1]:
####Details####
Valid from: Still Valid
Signature algorithm name: SHA1withRSA

 

Certificate[2]:
####Details####
Valid from: EXPIRED Date
Signature algorithm name: MD5withRSA

Regards,

Anurag

Q. Certificate 1 is not expired but Certificate 2 is in expired state.

So this looks like to be the issue, right ?

Ujwol => Correct. 

Q. Will this expired certificate in the chain make this certificate completely unusable ?

Is there a way to remove this expired certificate chain and still have this certificate (Public/Private Key) valid and then import it in SiteMinder ?

Ujwol => Yes. For a certificate to be valid, all its intermediate certificate chain needs to be valid as well.