Layer7 Access Management

Expand all | Collapse all

Certificate Import in SiteMinder

Jump to Best Answer
  • 1.  Certificate Import in SiteMinder

    Posted 09-06-2017 01:57 AM

    We are trying to import a certificate in SiteMinder Certificate Data Store via Adminui-X509 Certificate Management.

    Upon importing it gives an error as,

    1. Error reading private key file

    2. This is an expired certificate and cannot be added to the Certificate Data Store.

    1st error comes when we are importing it as a separate key and cert file.

    2nd error comes when we are importing it in p12 format.

    This certificate is not expired and is in use elsewhere as well, without any error.

    e.g. We are using it as an SSL certificate and there we have no errors in SSL transactions.

     

    What could be the possible reason for this error ? Please suggest.

     

    Regards,

    Anurag



  • 2.  Re: Certificate Import in SiteMinder

    Posted 09-07-2017 12:49 AM

    Hi Anurag,


    For the expired certificate error, can you validate your p12 certificate using key store and confirm it's not expired ?

    C:\Program Files\Java\jdk1.8.0_131\bin> keytool -list -keystore ujwol.pfx -storepass siteminder -storetype PKCS12 -v
    Keystore type: PKCS12
    Keystore provider: SunJSSE
    Your keystore contains 1 entry
    Alias name: le-eeee6be7-3d48-498f-8888-43f30f7adef7
    Creation date: 07/09/2017
    Entry type: PrivateKeyEntry
    Certificate chain length: 2
    Certificate[1]:
    Owner: EMAILADDRESS=sgdgs@ca.com, CN=Ujwol Shrestha, CN=Users, DC=ad12, DC=lab
    Issuer: CN=ad12-SHRUJ01-I2077-CA, DC=ad12, DC=lab
    Serial number: 1400000016c093d34009ff8787000000000016
    Valid from: Fri May 05 16:55:00 AEST 2017 until: Sat May 05 16:55:00 AEST 2018
    Certificate fingerprints:
    MD5: B6:6A:AF:16:9B:8B:8C:CE:7C:F9:A8:22:56:9E:41:0B
    SHA1: DB:AC:9D:2B:21:D7:AB:C2:6B:8B:80:AB:6F:8D:AA:67:BF:EF:20:65
    SHA256: 15:A2:2E:DE:8E:03:97:BC:E6:67:3D:0F:AF:21:A1:3C:8A:FC:E6:CB:EB:6C:E9:11:A4:16:4F:66:28:3A:CC:47
    Signature algorithm name: SHA1withRSA
    Version: 3
    Extensions:

     

    Regards,

    Ujwol



  • 3.  Re: Certificate Import in SiteMinder

    Posted 09-07-2017 04:03 AM

    Hi Ujwol,

     

    I ran this command and noticed the output as below (in the end).

    Keystore contains 1 entry with Certificate chain length: 2.

    Certificate 1 is not expired but Certificate 2 is in expired state.

    So this looks like to be the issue, right ?

     

    I have few queries from PKI perspective, if you can please help.

    Will this expired certificate in the chain make this certificate completely unusable ?

    Is there a way to remove this expired certificate chain and still have this certificate (Public/Private Key) valid and then import it in SiteMinder ?

     

    Also, a brief history of this certificate import.

    This certificate was originally in JKS format. From where I imported it to PKCS12 format using Keytool.

    I just imported the specific alias which I needed.

    keytool -importkeystore -alias TestCert -srckeystore Test.jks -destkeystore Test.p12 -destkeypass password -deststoretype PKCS12

     

    Output:

     

    Keystore type: PKCS12
    Keystore provider: SunJSSE

    Your keystore contains 1 entry

    Alias name: ####
    Creation date: ####
    Entry type: PrivateKeyEntry
    Certificate chain length: 2

     

    Certificate[1]:
    ####Details####
    Valid from: Still Valid
    Signature algorithm name: SHA1withRSA

     

    Certificate[2]:
    ####Details####
    Valid from: EXPIRED Date
    Signature algorithm name: MD5withRSA

     

    Regards,

    Anurag



  • 4.  Re: Certificate Import in SiteMinder
    Best Answer

    Posted 09-07-2017 04:09 AM

    Q. Certificate 1 is not expired but Certificate 2 is in expired state.

    So this looks like to be the issue, right ?

     

    Ujwol => Correct. 

     

    Q. Will this expired certificate in the chain make this certificate completely unusable ?

    Is there a way to remove this expired certificate chain and still have this certificate (Public/Private Key) valid and then import it in SiteMinder ?

     

    Ujwol => Yes. For a certificate to be valid, all its intermediate certificate chain needs to be valid as well.