Re: Installing Intermediate Certificates for Software Assistant (766 Views)
Reply
Regular Advisor
christian_derek
Posts: 135
Registered: ‎11-16-2004
Message 1 of 8 (844 Views)

Installing Intermediate Certificates for Software Assistant

Hi,

 

I'm trying to install the Intermediate Certificates as describe, but I'm getting the error below:

 

/opt/java6/jre/bin/keytool -import -trustcacerts \
> -keystore /opt/java6/jre/lib/security/cacerts \
> -storepass changeit -file CA-V3C3Gint \
> -alias "VeriSign Class 3 Public Primary CA - G3"
keytool error: java.lang.Exception: Input not an X.509 certificate

 

but, I was able to confirm the validity of the certificate in the previous step, what could be wrong?

 

swa version 2.90

java 1.5.0.25.00

java 1.6.0.15.00

 

Thanks,

Honored Contributor
Patrick Wallek
Posts: 13,786
Registered: ‎06-21-2000
Message 2 of 8 (842 Views)

Re: Installing Intermediate Certificates for Software Assistant

It thinks your certificate file is invalid.  First thing to try is to specify the full path to the file, not just the file name.

Regular Advisor
christian_derek
Posts: 135
Registered: ‎11-16-2004
Message 3 of 8 (836 Views)

Re: Installing Intermediate Certificates for Software Assistant

Hi,

 

I tried the full path, but still the same error ...

 

/opt/java6/jre/bin/keytool -import -trustcacerts \
> -keystore /opt/java6/jre/lib/security/cacerts \
> -storepass changeit -file /root/CA-V3C3Gint \
> -alias "VeriSign Class 3 Public Primary CA -G3"
keytool error: java.lang.Exception: Input not an X.509 certificate

 

Thanks,

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 4 of 8 (816 Views)

Re: Installing Intermediate Certificates for Software Assistant

There are several possible certificate file formats: basic formats like PEM and DER, and container formats like PFX, PKCS#7 and PKCS#12.

 

I know that Java "keytool" can accept PEM format at least, but I'm not sure of the other formats.

 

What is the format of your certificate file?

If "file /root/CA-V3C3Gint" says just "data", it's not PEM.

 

With the OpenSSL tools, you can easily convert the certificate from one format to another. Assuming that you have OpenSSL installed, run "man pkcs12", "man pkcs7" or "man x509" to get a description of the OpenSSL certificate file manipulation commands.

 

MK
Regular Advisor
christian_derek
Posts: 135
Registered: ‎11-16-2004
Message 5 of 8 (800 Views)

Re: Installing Intermediate Certificates for Software Assistant

Hi,

 

I did follow the instruction in the HP manual Installing Intermediate Certificates for Software Assistant, here is the link for reference ...

 

http://h20000.www2.hp.com/bizsupport/TechSupport/DocumentIndex.jsp?lang=en&cc=us&contentType=Support...

 

thanks,

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 6 of 8 (766 Views)

Re: Installing Intermediate Certificates for Software Assistant

The manual suggests running this command to validate the correctness of the certificate before importing it to the keystore:

 openssl x509 -in /root/CA-V3C3Gint -fingerprint -md5

 What is the output of that command?

 

By the way, did you create the CA-V3C3Gint file in a Windows system before moving it to HP-UX? In that case, you might have to use the "dos2ux" command to convert the end-of-line characters from Windows style to Unix style. OpenSSL might be able to handle both styles, but the Java keytool might not.

MK
Regular Advisor
christian_derek
Posts: 135
Registered: ‎11-16-2004
Message 7 of 8 (748 Views)

Re: Installing Intermediate Certificates for Software Assistant

Hi,

 

Yes, I follow the instruction in the document, but I ran the command again and it was directly created with vi.

 

see the output ...

 

Thanks,

 

# openssl x509 -in /root/CA-V3C3Gint -fingerprint -md5
MD5 Fingerprint=3C:48:42:0D:FF:58:1A:38:86:BC:FD:41:D4:8A:41:DE
-----BEGIN CERTIFICATE-----
MIIF7DCCBNSgAwIBAgIQbsx6pacDIAm4zrz06VLUkTANBgkqhkiG9w0BAQUFADCB
yjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQL
ExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTowOAYDVQQLEzEoYykgMjAwNiBWZXJp
U2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5MUUwQwYDVQQDEzxW
ZXJpU2lnbiBDbGFzcyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0
aG9yaXR5IC0gRzUwHhcNMTAwMjA4MDAwMDAwWhcNMjAwMjA3MjM1OTU5WjCBtTEL
MAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZW
ZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQg
aHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykxMDEvMC0GA1UEAxMmVmVy
aVNpZ24gQ2xhc3MgMyBTZWN1cmUgU2VydmVyIENBIC0gRzMwggEiMA0GCSqGSIb3
DQEBAQUAA4IBDwAwggEKAoIBAQCxh4QfwgxF9byrJZenraI+nLr2wTm4i8rCrFbG
5btljkRPTc5v7QlK1K9OEJxoiy6Ve4mbE8riNDTB81vzSXtig0iBdNGIeGwCU/m8
f0MmV1gzgzszChew0E6RJK2GfWQS3HRKNKEdCuqWHQsV/KNLO85jiND4LQyUhhDK
tpo9yus3nABINYYpUHjoRWPNGUFP9ZXse5jUxHGzUL4os4+guVOc9cosI6n9FAbo
GLSa6Dxugf3kzTU2s1HTaewSulZub5tXxYsU5w7HnO1KVGrJTcW/EbGuHGeBy0RV
M5l/JJs/U0V/hhrzPPptf4H1uErT9YU3HLWm0AnkGHs4TvoPAgMBAAGjggHfMIIB
2zA0BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLnZlcmlz
aWduLmNvbTASBgNVHRMBAf8ECDAGAQH/AgEAMHAGA1UdIARpMGcwZQYLYIZIAYb4
RQEHFwMwVjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL2Nw
czAqBggrBgEFBQcCAjAeGhxodHRwczovL3d3dy52ZXJpc2lnbi5jb20vcnBhMDQG
A1UdHwQtMCswKaAnoCWGI2h0dHA6Ly9jcmwudmVyaXNpZ24uY29tL3BjYTMtZzUu
Y3JsMA4GA1UdDwEB/wQEAwIBBjBtBggrBgEFBQcBDARhMF+hXaBbMFkwVzBVFglp
bWFnZS9naWYwITAfMAcGBSsOAwIaBBSP5dMahqyNjmvDz4Bq1EgYLHsZLjAlFiNo
dHRwOi8vbG9nby52ZXJpc2lnbi5jb20vdnNsb2dvLmdpZjAoBgNVHREEITAfpB0w
GzEZMBcGA1UEAxMQVmVyaVNpZ25NUEtJLTItNjAdBgNVHQ4EFgQUDURcFlNEwYJ+
HSCrJfQBY9i+eaUwHwYDVR0jBBgwFoAUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMwDQYJ
KoZIhvcNAQEFBQADggEBAAyDJO/dwwzZWJz+NrbrioBL0aP3nfPMU++CnqOh5pfB
WJ11bOAdG0z60cEtBcDqbrIicFXZIDNAMwfCZYP6j0M3m+oOmmxw7vacgDvZN/R6
bezQGH1JSsqZxxkoor7YdyT3hSaGbYcFQEFn0Sc67dxIHSLNCwuLvPSxe/20majp
dirhGi2HbnTTiN0eIsbfFrYrghQKlFzyUOyvzv9iNw2tZdMGQVPtAhTItVgooazg
W+yzf5VK+wPIrSbb5mZ4EkrZn0L74ZjmQoObj49nJOhhGbXdzbULJgWOw27EyHW4
Rs/iGAZeqa6ogZpHFt4MKGwlJ7net4RYxh84HqTEy2Y=
-----END CERTIFICATE-----
#

Honored Contributor
Matti_Kurkela
Posts: 6,271
Registered: ‎12-02-2001
Message 8 of 8 (740 Views)

Re: Installing Intermediate Certificates for Software Assistant

So OpenSSL seems to think the certificate file is valid, at least syntactically. Hmm.

 

This might still be a case of keytool being more picky than OpenSSL about details like having the last line of the certificate end with a proper line terminator character, or extra spaces at the end of the lines.


A quick test indicates that passing a PEM-format certificate through OpenSSL fixes irregularities like that. So, try this:

 

openssl x509 -in /root/CA-V3C3Gint -out /tmp/CA-V3C3Gint.pem

/opt/java6/jre/bin/keytool -import -trustcacerts \
 -keystore /opt/java6/jre/lib/security/cacerts \
 -storepass changeit -file /tmp/CA-V3C3Gint.pem \
 -alias "VeriSign Class 3 Public Primary CA -G3"

 

If the problem is caused by extra whitespace or missing/incorrect line terminators, that should fix it.

 

MK
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.