ViPR SRM: CA Issued Certificates Fail to Install

Summary: Certificate Signing Request (CSR) was submitted to a third-party Certificate Authority (CA) and certificates were issued, however, these certificates were not able to be imported into SRM keystores to allow HTTPS URL access. ...

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Symptoms



CA signed certificates formatting is causing failures when imported into ViPR SRM keystores/truststores

Cause

The two CA signed certificates were provided in different formats. The Server certificate was generated in PKCS7 format, whereas the CA Root certificate was in the expected format.

Resolution

To resolve the issue the following steps were performed:
  • Transferred the two certificates that were provided by the CA to the SRM Frontend server: root_02_14.cer and server_02_14.p7b
  • As the root certificate was not in 64 format it needed to be converted using the following command:
/opt/APG/Java/Sun-JRE/<version>/bin # fold -w 64 root_01_14.cer > root_02-14-64.cer
  • cat the new certificate to confirm that the formatting is now correct (example):
kA2f1000000X4QvCAK_2_0
there will be much more content in your certificate and it will end as follows:
kA2f1000000X4QvCAK_2_1
  • The Server certificate was in PKCS7 format which needed to be converted using the following command:
/opt/APG/Java/Sun-JRE/<version>/bin # openssl pkcs7 -print_certs -in server_02_14.p7b -out server_02_14.cer
  • cat the new server certificate to make sure that there are no extra lines at the beginning or end of the file. There should only be -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- with encrypted data between them (as shown above).
At this point both the Root and Server certificates have been converted into .cer format. These certificates, root_02_14.cer and server_02_14.cer, will now be imported into the the Tomcat keystore file (which was generated when the CSR was created and contains the private key). Use the following command to complete these imports, Root first and then Server:
  1. /opt/APG/Java/Sun-JRE/<version>/bin # ./keytool -import -alias root -keystore /opt/APG/Web-Servers/Tomcat/Default/conf/.keystore -file root_02_14-64.cer
  2. /opt/APG/Java/Sun-JRE/<version>/bin # ./keytool -import -alias server -keystore /opt/APG/Web-Servers/Tomcat/Default/conf/.keystore -file server_02_14.cer
NOTE: you will be prompted to enter the keystore password and add the certificate (see example):
Enter keystore password:
Certificate already exists in keystore under alias <rootca> <-- you may or may not see this entry
Do you still want to add it? [no]: yes
Certificate was added to keystore

Once imported verify the alias' are present in the keystore:
/opt/APG/Java/Sun-JRE/<version>/bin # ./keytool -list -v -keystore /opt/APG/Web-Servers/Tomcat/Default/conf/.keystore > keystore-list.txt
 
 
grep "Alias name" from keystore-list.txt

Next, confirm that the server.xml (located at /opt/APG/Web-Servers/Tomcat/Default/conf) is pointing to the correct .keystore entry:

<Connector port="58443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="/opt/APG/Web-Servers/Tomcat/Default/conf/.keystore"
keystorePass="<your-password>" clientAuth="false" sslProtocols="TLSv1.2"
compression="2048" compressableMimeType="text/"
sslEnabledProtocols="TLSv1.2" URIEncoding="UTF-8"
ciphers="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
SSLDisableCompression="true" />

Restart the Tomcat server service.

Make sure that you have opened the 58443 port on the ViPR SRM Frontend server. The can be done by running the /usr/sbin/enable_firewall_port.sh TCP 58443 command.

Also navigate to the /etc/sysconfig/SuSEfirewall2.d/services/ directory and confirm that the apg.custom file contains an entry for the new secure port, 58443, so that on reboot of the VM the port gets opened.

Close all open browser sessions for ViPR SRM. Once Tomcat has restarted you should be able launch a fresh browser instance and log into the ViPR SRM Frontend URL using the newly configured certificate and secure port such as: https://<SRMFQDN>:58443/APG.
 

  

 

Additional Information

Missing intermediate certificate:
On a site with a missing intermediate certificate you will see the following error description after you click on Advanced on the "Your connection is not secure" error page:
  • The certificate is not trusted because the issuer certificate is unknown.
  • The server might not be sending the appropriate intermediate certificates.
  • An additional root certificate may need to be imported.
  • The website's certificate might not have been issued by a trusted certificate authority itself and no complete certificate chain to a trusted authority was provided either (a so-called "intermediate certificate" is missing).
You can test if a site is properly configured by entering the website's address into a third-party tool such as SSL Labs' test page:
<https://www.ssllabs.com/ssltest>.

If it is returning the result "Chain issues: Incomplete", a proper intermediate certificate is missing.

Affected Products

Storage Software
Article Properties
Article Number: 000065800
Article Type: Solution
Last Modified: 31 Jan 2025
Version:  4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.