Topic
3 replies Latest Post - ‏2013-01-23T08:24:42Z by SystemAdmin
SystemAdmin
SystemAdmin
2262 Posts
ACCEPTED ANSWER

Pinned topic COMODO SSL Certificate Registration on AIX

‏2013-01-11T12:13:19Z |
Hi,

I am new to the SSL Certificate registration and all other web related configuration. Recently, I have got a request to setup a FTP over SSL. The third party only shared a root & secure certificate. I followed the steps of configuring the key DB and other setups. I am not progressing much
openssl.cnf
bash-3.2# cat /var/ssl/openssl.cnf
ca
default_ca = CA_default
CA_default
dir = /var/ssl/prodkeys
certs = $dir/certsdb
new_certs_dir = $certs
database = $dir/index.txt
certificate = $dir/cacert.pem
private_key = $dir/private/cakey.pem
serial = $dir/serial
crldir = $dir/crl
crlnumber = $dir/crlnumber
crl = $crldir/crl.pem
RANDFILE = $dir/private/.rand
x509_extensions = usr_cert
copy_extensions = copy
name_opt = ca_default
cert_opt = ca_default
default_days = 365
default_crl_days= 30
default_md = sha1
preserve = no
policy = policy_match
policy_match
countryName = match
stateOrProvinceName = match
localityName = supplied
organizationName = match
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
policy_anything
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
req
default_bits = 2048
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
req_extensions = v3_req
string_mask = nombstr
req_distinguished_name < -- I have removed my client details.
countryName =
countryName_default =
countryName_min =
countryName_max =
stateOrProvinceName =
stateOrProvinceName_default =
localityName =
organizationName =
organizationalUnitName =
commonName =
emailAddress =

req_attributes

usr_cert
basicConstraints = CA:false
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

v3_req
subjectAltName = email:move

v3_ca
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid:always,issuer:always
basicConstraints = CA:true

I created a key DB.
gsk7cmd -keydb -create -db /var/ssl/prodkeys/certsdb -pw 123456 -type cms
gsk7cmd -cert -add -db /var/ssl/prodkeys/certsdb.kdb -pw 123456 -label comodoroot -format ascii -trust enable -file AddTrustExternalCARoot.crt
gsk7cmd -cert -add -db /var/ssl/prodkeys/certsdb.kdb -pw 123456 -label comodocert -format ascii -trust enable -file COMODOHigh-AssuranceSecureServerCA.crt

bash-3.2# ftp -v -s ftpshost
Connected to ftpshost.
220-FTPS service.
220-Authorised access only.
220 Use 'Auth TLS' connection mode.
234 Using authentication type TLS
TLS Auth Entered.
error:02001002:system library:fopen:No such file or directory
ERROR Error loading certificate
error:20074002:BIO routines:FILE_CTRL:system lib
ERROR Error setting up certificate and key for the control connection
error:140DC002:SSL routines:SSL_CTX_use_certificate_chain_file:system lib
ERROR Error setting BIO object for the control connection
FTP: Unable to authenticate to Server.

gsk7cmd -cert -getdefault -db /var/ssl/prodkeys/certsdb.kdb -pw 123456
null
bash-3.2# gsk7cmd -cert -setdefault -db /var/ssl/prodkeys/certsdb.kdb -pw 123456 -label comodocert
An error occurred while setting the specified key as the default key.

/var/ssl/prodkeys
bash-3.2# cd ..
bash-3.2# ls -ltr prodkeys
total 280
-rw-r--r-- 1 root system 80 Jan 11 10:22 certsdb.rdb
-rw-r--r-- 1 root system 125080 Jan 11 10:22 certsdb.kdb
-rw-r--r-- 1 root system 80 Jan 11 10:22 certsdb.crl
-rw-r--r-- 1 root system 940 Jan 11 12:11 cacert.pem
drwxr-xr-x 2 root system 256 Jan 11 12:12 private
-rw-r--r-- 1 root system 3 Jan 11 12:12 serial
-rw-r--r-- 1 root system 0 Jan 11 12:12 index.txt

My questions are :
How to create a Private .pem file?
Is is necessary that I should have a host .pem file?
How to set a key as default key? Why am I not able to set?

Thanks in Advance
Ram
Updated on 2013-01-23T08:24:42Z at 2013-01-23T08:24:42Z by SystemAdmin
  • JPdev
    JPdev
    18 Posts
    ACCEPTED ANSWER

    Re: COMODO SSL Certificate Registration on AIX

    ‏2013-01-11T13:33:39Z  in response to SystemAdmin
    Hello,
    it seems that the mechanism you use (sha1) to connect is not recognize.
    As i know ftp use only 4 mechanisms
    kerberos_v5 mech_krb5.so (this is the default on most UNIX systems)
    spnego mech_spnego.so.1 msinterop
    diffie_hellman_640_0 dh640-0.so.1
    diffie_hellman_1024_0 dh1024-0.so.1

    so you get an error system lib.
    I don't know if AIX use other(s) specific(s) mech, see the man ftp for your system.
    There is also a specific argument to specify the mechanism in the ftp command -m GSS Mech and the Supported alternatives are defined in /etc/gss/mech, is it the case on AIX ?

    regards.
    • SystemAdmin
      SystemAdmin
      2262 Posts
      ACCEPTED ANSWER

      Re: COMODO SSL Certificate Registration on AIX

      ‏2013-01-11T14:15:03Z  in response to JPdev
      Yes it is AIX 6.1.. However, I have not worked on this SSL Certificates before. I tried googling and did as much as I can with the conf and the DB. However, the problem remains the same
      Thanks
      Ram
  • SystemAdmin
    SystemAdmin
    2262 Posts
    ACCEPTED ANSWER

    Re: COMODO SSL Certificate Registration on AIX

    ‏2013-01-23T08:24:42Z  in response to SystemAdmin
    You can try this out , Once these have been submitted, you receive a zip file back with 3 files in it (it should look similar to below):

    AddTrustExternalCARoot.crt
    UTNAddTrustServerCA.crt
    jira_whatever_com.crt

    As shown in the Atlassian documentation to implement HTTPS, it doesn’t mention the use of .crt files, but rather .cer files, which is of no use to us, so lets make this work.

    Copy over your jira.key file to the jira server
    Copy over the .zip file from comodo to the jira server
    Extract the contents of the .zip file to the jira server

    Create a keyout.pem file:
    (You will be prompted for a passphrase, enter one that you would like to use)
    1. openssl rsa -in jira.key -des -out keyout.pem
    Create certificate chain, and store as cert.pem:
    1. cat AddTrustExternalCARoot.crt UTNAddTrustServerCA.crt jira_whatever_com.crt > cert.pem
    Create the .pkcs12 file using both the private key .pem file and cert .pem file
    1. openssl pkcs12 -export -inkey keyout.pem -in cert.pem -out keystore.pkcs12
    Update your server.xml file (/path/to/jira/conf/server.xml) to reflect the changes with the following entries:
    keystoreFile=”" (the path & .pkcs12 file you created in step 6.1)
    keystoreType=”PKCS12″
    keystorePass=”" (the password you chose in step 4.1)

    Example of what it should look like below:
    <\Connector port=”443″ maxHttpHeaderSize=”8192″ SSLEnabled=”true” maxThreads=”150″ minSpareThreads=”25″ maxSpareThreads=”75″ enableLookups=”false” disableUploadTimeout=”true” acceptCount=”100″ scheme=”https” secure=”true” clientAuth=”false” sslProtocol=”TLS” useBodyEncodingForURI=”true” keystoreFile=”/usr/jira/keystore.pkcs12″ keystoreType=”PKCS12″ keystorePass=”superp4ssw0rd!” />

    online tech support and remote services for emergency repair and maintenance.