Troubleshooting Certificate Chain Issues Required for OpenManage Enterprise Migration

• Certificate = CA signed certificate (stand-alone)
• Certificate Chain = CA signed certificate + intermediate CA certificate (if any) + root CA certificate

Certificate Chain Requirements for Migration 

1. Certificate Signing Request key matches - During the certificate upload the Certificate Signing Request (CSR) key is checked. OpenManage Enterprise only supports uploading certificates that are requested using the Certificate Signed Request (CSR) by that appliance. This validation check is performed during an upload for both a single server-certificate and a certificate chain.
2. Certificate encoding - The certificate file requires Base 64 encoding. Ensure that when saving the exported certificate from the certificate authority Base 64 encoding is used otherwise the certificate file is considered invalid.
3. Validate certificate enhanced key usage - Check to ensure that key usage is enabled for both Server Authentication and Client Authentication. This is because the migration is two-way communication between both the source and target where either can act as a server and a client during the information exchange. For single server-certificates, only the server authentication is required.
4. Certificate is enabled for key encipherment - Certificate template used to generate the certificate must include key encipherment. This ensures that the keys in the certificate can be used to encrypt communication.
5. Certificate Chain with root certificate - Certificate contains the full chain that includes the root certificate. This is required for the source and the target to ensure both can be trusted. The root certificate is added to each appliance's trusted root store. IMPORTANT: OpenManage Enterprise supports a maximum of 10 lead certificates within the certificate chain.
6. Issued to and issued by - The root certificate is used as the trust anchor, and then used to validate all certificates in the chain against that trust anchor. Ensure that the certificate chain includes the root certificate.

Certificate Chain Upload Operation

• CGEN1008 - Unable to process the request because an error occurred
• CSEC9002 - Unable to upload the certificate because the certificate file provided is invalid.

CGEN1008 - Unable to process the request because an error occurred.

CGEN1008 - Unable to process the request because an error occurred.
Retry the operation. If the issue persists, contact your system administrator.

• Invalid CSR key for the certificate chain
  • Ensure that the certificate was generated using the CSR from the OpenManage Enterprise web UI. OpenManage Enterprise does not support uploading a certificate that was not generated using the CSR from the same appliance.
  • The following error is seen in the tomcat application log located in the console log bundle:

./tomcat/application.log

[ERROR] 2024-01-25 11:10:34.735 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-10] SSLController - uploadNewCertificateChain():
 Error uploading certificate chain: {"error":{"code":"Base.1.0.GeneralError",
"message":"A general error has occurred. See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CGEN1008","RelatedProperties":[],
"Message":"Unable to process the request because an error occurred.",
"MessageArgs":["Invalid CSR key."],
"Severity":"Critical","Resolution":"Retry the operation. If the issue persists, contact your system administrator."}]}}

• Invalid certificate chain
  • The root and all intermediate certificate authorities' certificates must be included within the certificate.
  • The following error is seen in the tomcat application log located in the console log bundle:

./tomcat/application.log

[ERROR] 2024-01-25 11:04:56.396 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-1] SSLController - uploadNewCertificateChain():
 Error uploading certificate chain: {"error":{"code":"Base.1.0.GeneralError",
"message":"A general error has occurred. See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CGEN1008","RelatedProperties":[],
"Message":"Unable to process the request because an error occurred.",
"MessageArgs":["Invalid certificate chain provided."],
"Severity":"Critical","Resolution":"Retry the operation. If the issue persists, contact your system administrator."}]}}

• No Common Name found in the leaf certificate - All certificates must include the common names and not contain any wildcards (*).

CGEN6002 - Unable to complete the request because the input value for DistinguishedName is missing or an invalid value is entered.

 

• No Client and Server Authentication Extended Key Usage (EKU) is present in leaf certificate
  • The certificate must include both Server and Client authentication for extended key usage.
  • The following error is seen in the tomcat application log located in the console log bundle:

./tomcat/application.log

[ERROR] 2024-01-25 10:56:54.175 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-17] SSLController - uploadNewCertificateChain():
 Error uploading certificate chain: {"error":{"code":"Base.1.0.GeneralError",
"message":"A general error has occurred. See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CGEN1008","RelatedProperties":[],
"Message":"Unable to process the request because an error occurred.",
"MessageArgs":["No Client/Server authentication EKU present in leaf certificate."],
"Severity":"Critical","Resolution":"Retry the operation. If the issue persists, contact your system administrator."}]}}

• Review the certificate details for enhanced key usage. If either are missing, ensure that the template used to generate the certificate is enabled for both.

 

• Missing key encipherment for key usage
  • The certificate being uploaded must have the key encipherment listed for key usage.
  • The following error is seen in the tomcat application log located in the console log bundle:

./tomcat/application.log

[ERROR] 2024-01-25 11:01:01.475 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] SSLController - uploadNewCertificateChain():
 Error uploading certificate chain: {"error":{"code":"Base.1.0.GeneralError","message":"A general error has occurred.
 See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CGEN1008","RelatedProperties":[],
"Message":"Unable to process the request because an error occurred.",
"MessageArgs":["User Certificate is not a web server certificate."],
"Severity":"Critical","Resolution":"Retry the operation. If the issue persists, contact your system administrator."}]}}

• Review the certificate details for key usage. Ensure the template used to generate the certificate has key encipherment enabled.

 
 

CSEC9002 - Unable to upload the certificate because the certificate file provided is invalid.

CSEC9002 - Unable to upload the certificate because the certificate file provided is invalid.
Make sure the CA certificate and private key are correct and retry the operation.

• Server-certificate missing key encipherment
  • Ensure the template used to generate the certificate has key encipherment enabled. When leveraging a certificate for migration, ensure that the full certificate chain is uploaded rather than the single server-certificate.
  • The following error is seen in the tomcat application log located in the console log bundle:

./tomcat/application.log

[ERROR] 2024-01-29 08:03:05.200 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] SSLController - {"error":{"code":"Base.1.0.GeneralError",
"message":"A general error has occurred. See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CSEC9002","RelatedProperties":[],
"Message":"Unable to upload the certificate because the certificate file provided is invalid.",
"MessageArgs":[],"Severity":"Critical","Resolution":"Make sure the CA certificate and private key are correct and retry the operation."}]}}

• Certificate file contains wrong encoding
  • Ensure that the certificate file was saved using Base 64 encoding.
  • The following error is seen in the tomcat application log located in the console log bundle:

./tomcat/application.log

[ERROR] 2024-01-29 08:03:05.200 [ajp-nio-0:0:0:0:0:0:0:1-8009-exec-3] SSLController - {"error":{"code":"Base.1.0.GeneralError",
"message":"A general error has occurred. See ExtendedInfo for more information.","@Message.ExtendedInfo":[{"MessageId":"CSEC9002","RelatedProperties":[],
"Message":"Unable to upload the certificate because the certificate file provided is invalid.",
"MessageArgs":[],"Severity":"Critical","Resolution":"Make sure the CA certificate and private key are correct and retry the operation."}]}}

Migration Connection Verification Operation

• Issued to and issued by - Names of the certificate authorities in the chain between each the source and target certificates have the same 'issued to' and 'issued by.' If these names do not match, the source or the target cannot verify that the same signing authorities issued the certificates. This is crucial to adhering to the Zero-Trust security framework.

• Validity period - checks the certificate validity period with the date and time of the appliance.
• Maximum depth - verify that the certificate chain does not exceed the maximum depth of 10 leaf certificates.

Unable to mutually authenticate and connect to the remote appliance.
Please check the source and target appliances has valid certificate chain uploaded which are signed by the same CA.

Bypass Certificate Chain Requirement

If there are continued issues meeting the certificate chain requirements, there is a supported method that can be used to leverage the self-signed certificates. Proceed with leveraging the backup and restore feature as outlined in the following article:

https://www.dell.com/support/kbdoc/en-us/000223239/openmanage-enterprise-administrators-may-run-across-several-errors-during-the-certificate-chain-upload-cgen1008-and-csec9002-report-challenges-in-procuring-a-certificate-chain-required-by-openmanage-enterprise-ome-4-0-x-for-the-migration-featur