IBM Support

PH42162: CHAINED CERTIFICATE CREATION FAILS WITH "SIGNER SKI FORMAT MUST MATCH SIGNED AKI FORMAT" ERROR

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • WebSphere fails to create a chained certificate.  The following
error message is printed in the log.


3008-737 A certificate attribute was not recognised.

(wraps: com.ibm.security.cerrclient.base.PkRejectionException:
Signer SKI format must match signed AKI format):

------Sample error --------------------------------------------
[11/5/21 9:20:10:033 CET] 0000017a CreateCMSKeyS 3 Exception
creating CMS keystore.
com.ibm.security.certclient.base.PkRejectionException: 3008-737
A certificate attribute was not recognised. (wraps:
com.ibm.security.cer\
tclient.base.PkRejectionException: Signer SKI format must match
signed AKI format):
com.ibm.security.certclient.base.PkRejectionException: Signer
SKI format must match signed AKI format
at com.ibm.security.certclient.util.PkNewCertFactory.computeAut
horityKID(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory.access$000
(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertI
mpl.generatenewCertificate(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory$PkNewCertI
mpl.<init>(UnknownSource)
at com.ibm.security.certclient.util.PkNewCertFactory.newCert(Un
knownSource)

Local fix

  • 



Problem summary


    

  • ****************************************************************
* USERS AFFECTED:  All users of IBM WebSphere Application      *
*                  Server                                      *
*                  who replaced the server root certificate    *
*                  that contains standard SKI                  *
****************************************************************
* PROBLEM DESCRIPTION: After Java update. while creating a     *
*                      chained certificate,                    *
*                      com.ibm.security.certclient.base.PkReje *
*                      ct                                      *
*                      ionException is thrown.                 *
****************************************************************
* RECOMMENDATION:                                              *
****************************************************************
After Java update, the following error:
com.ibm.security.certclient.base.PkRejectionException: Signer
SKI format must match signed AKI format
is thrown during a chained certificate creation.
The recent Java version started to check if the chained
certificate's Authority Key Identifier (AKI) format matches
it's
root signer's Subject Key Identifier (SKI) format.
WebSphere had been specifying short SKI/AKI format when calling
Java API to create certificate creation.
If the root certificate has a SKI format that is not short
format, Java throws the above Exception as the SKI format does
not match.
Servers that use WebSphere's default root certificate is not
affected by this issue as it contains SKI in short format.
Servers that has the root certificate from the 3rd party
certificate (CA certificate or created by iKeyman, keytool,
openssl etc) would be affected.
--- Keytool output of SKI -------------
Root certificate key tool output
The following shows longer SKI.
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 21 f5 0a 11 ec 2c 29 b2 98 5d fe ba b5 cd 9a f6
................
0010: 3c 87 27 7b                    ....
]
]
The following SKI is shorter SKI from WebSphere's default root
certificate
#1: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 42 1a 4d 93 55 fd 10 7d
]
]
The Java change was introduced with the following APAR
https://www.ibm.com/support/pages/apar/IJ32593
included in the following Java Releases:
8    SR6 FP35  (8.0.6.35)
7    SR10 FP90 (7.0.10.90)
7 R1 SR4 FP90  (7.1.4.90)

    



Problem conclusion


    

  • The certificate creation code has been updated to match the
SKI/AKI format.

The fix for this APAR is targeted for inclusion in fix pack
8.5.5.22 and 9.0.5.13. For more information, see 'Recommended
Updates for WebSphere Application Server':
https://www.ibm.com/support/pages/node/715553

    



Temporary fix


    

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    PH42162
    • 

  • Reported component name
    WEBS APP SERV N
    • 

  • Reported component ID
    5724H8800
    • 

  • Reported release
    850
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2021-11-17
    • 

  • Closed date
    2022-03-29
    • 

  • Last modified date
    2022-05-13
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    WEBS APP SERV N
    • 

  • Fixed component ID
    5724H8800
    • 



Applicable component levels


    








      
              
                            

              

              [{"Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.5"}]
              

                          

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            14 May 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback