powered by Jive Software

Problems with Certificate Signing Request in 3.2.0

Hello

I see that there are various problems with certificates and also the Pandion client. I will wait for resolution on the Pandion issue but I am still struggling to understand the issues on the CSR.

I am running 3.2.0 and I tried to use the XMPP Federation Certification Authority (StartCom)

I have made several attempts at certification and finally deleted the keys and started again. Unfortunately I got the same result.

I copied the CSR and pasted it into the XMPP request web page and received the following response after entering the validation information

CN=rectoryhouse.net/OU=Domain validated only/O=David Pullen/emailAddress=hostmaster@rectoryhouse.net

Error!

There seems to be a problem creating your certificate! Please check your details and try again.

I entered the Issuer information into the Signing request on my Wildfire server (running on Windows2k)

as follows:

Name: *.rectoryhouse.net

Organizational Unit: rectoryhouse.net

Organization: David Pullen

City: Bucknell

State: Shropshire

Country Code: GB

Hey David,

I think that you got to the same point I got while testing Startcom certificates. I contacted StPeter about the error that you are getting and we need to follow it up to learn why startcom doesn’'t like our CSR. I will start again working on the other alternative which is just import an entirely new certificate generated in Startcom. If you are able to make it work just let me know.

Regards,

– Gato

Thanks for the information. At least I now know it isn’'t me! I will take a look at importing a new certificate.

I also contacted StPeter. He is keen to know the status of the 3.2.0 code. I guess the situation is unclear at the moment.

BR

David

Just a quick update. I tried creating a certificate request directly from keytool and I got exactly the same response from the CA. I didn’'t necessarily expect there to be a difference but it does indicate that the problem may not be caused directly by Wildfire.

BR

David

Hey David,

I have good news. I was able to import a Startcom certificate (private key and signed cert) into Wildfire. The imported certificate appears in the admin console as CA signed. I’'m now working on a way to automate the entire process so that you just have to paste the private key and the cert into the admin console and Wildfire will do the rest for you.

I don’'t think I will be able to include it in Wildfire 3.2.1 but I may provide a non-official way to import them from the admin console. In other words, you may find a non-polished page to do the work.

Hang on,

– Gato

Hi Gato

That is good news. It sounds like you had a lot more success than me. I generated the private key and cert on the Startcom site (option 1) and then produced a pkcs12 keystore using OpenSSL. I was a bit stuck then as I couldn’‘t get the keystore to work with Wildfire. I Introduced the .storeType property and set it to pkcs12 but the certificate section displayed a list of errors. I guess it might be a problem having cacert and the truststore in jks and the keystore in pkcs12. I couldn’‘t find any suitable way to convert from pkcs12 to jks. It wasn’'t clear to me if I could set separate store types for the different key stores.

I understand that keytool cannot import private keys so I am not sure what else I could have done. I am not very happy about this route because I don’'t really like the idea of generating my private key on a platform out of my control but if it works then it is worth doing. How did you get your private key into the key store?

It would be great if you have a non-polished page to do the work. It is the function that is important to me (and most others I would suspect).

BR

David

Hey David,

The way I imported the private key and signed certificate was using Wildfire’'s API. There was no way, at least for me, to import it using keytool since keytool is not able to import private keys. The hard part, for me, was to understand the concepts to realize the steps I had to follow. After figuring that out (while driving back home) it was a matter of 1 hour work.

Having said that, Wildfire 3.2.1 includes a new page in the admin console where you can paste the private key (encrypted or not) and the signed certificate and Wildfire will do the rest for you. With the StartCom cert that I was using I found another problem. It seems that the certificate does not include the proper subAltName extenion and also the .org extension was removed from the domain in the CN. I will ping StPeter to learn where is the problem. Anyway, I’'m sure that certs created with openssl that have the proper structure will work just fine with the new page.

The new page is: http://[your domain]:9090/import-certificate.jsp

Enjoy,

– Gato

Hi Gato

Sounds interesting. Should I be installing the latest nightly to get this page?

I can’'t see a link to 3.2.1 anywhere.

BR

David

Hey David,

Wildfire 3.2.1 will be released today. You can also grab the nightly build and give it a try. The same code will be present in both things. BTW, when updating you will have to manually replace the resources/security/truststore file. The other files to replace are lib/wildfire.jar and plugins/admin.

Regards,

– Gato

Hi Gato

I have successfully loaded my key and certificate with this screen :-). I also seem to have the error with “SubjectAltName of invalid type found”. The CN appears to be ok and I haven’'t lost my .net extension. So thank you for sorting that out.

I had to decrypt the private key as you indicated and I had to install the new trustore but it went pretty smoothly. I still seem to be struggling to find any other servers that I can implement an encrypted connection with but that is another story!

BR

David

I am a noob to ssl certs. I would like to use a certificate signed by the microsoft CA on our domain. I have created the CSR using the admin console and pasted those contents into two separate requests using the certsrv website on our CA. I selected the type “web server.” This gave me two certificates that i saved as base64 format. I pasted these contents into the two boxes on the WF certificate page and clicked save. The certificates were accepted and i was prompted to restart the http server. I did this but the certificates page still says “pending verification”. What am i doing wrong?

Many thanks

Hey Ben,

You need to import the CA root certificates to your truststore before importing the signed certificates. When importing signed certificates (i.e. CA’‘s reply) Wildfire will try to build the chain of trusted entities that signed the certificate. When the chain is empty or contains only one element then the certificate will appear in that state. So you need to import the CA root certificates before importing the CA’'s reply so that Wildfire can properly build the chain of trusted CAs.

IMPORT CA ROOT certificates

keytool -import -keystore truststore -file some name that will identify the certificate in the truststore

Regards,

– Gato

Hi Gato,

Since you already created the new import page, you probably could add a third textarea where the CAcert can be pasted in. (optionally of course).

Just an idea …

-Fritz

Hey Fritz,

That is a good idea. It would be nice to be able to paste the chain of certificates but Wildfire still needs to trust the root certificate of the chain. Therefore, we also need to let admins import certs to the truststore and not only to the keystore. I filed JM- 988 for this improvement. I think that once this improvement has been implemented we can then consider this page as official.