D3 and mvBase

 View Only
  • 1.  SSL Certificates

    PARTNER
    Posted 04-26-2021 06:27
    G'day Brian,

    Thanks for the update.

    The reason why I couldn't join, was because MS decided to verify my account and the verification took 2 1/2 hours to arrive. By that time it was too late. Darrell found out out afterwards that the delay was between two of the MS servers.

    Sorry about that, but it is one of the reasons why we don't use MS products.

    This is, from my perspective, very technical and that is why we use Darrell for this sort of work. I am self taught and design system using data bases for our work. Hence my love of SB+

    Thanks for your help.

    Alex

    On 23/4/21 10:32 pm, Brian Cram via Rocket Forum wrote:
    01000178ff251e11-9e63b653-7c46-470d-b2de-b491b1662011-000000@email.amazonses.com">
    Hi, Alex. I had a meeting with your guy and MBS ( you were invited but I don't think you joined ). We went through the process and here's what we...
    Be sure to join the forums you're interested in to be notified of new content. Click the join button from either the forum listing page or the home page of any given sub-forum.

    Tip: Want a single update on all your forum memberships? Go to Profile > My Account > Forum Notifications, and check 'daily consolidated digest.' Switch the discussion email drop down to 'no email' or you will receive both.
    Rocket Software

    D3 and mvBase

    Post New Message Online
    Re: SSL Certificates
    Reply to Group Online
    Apr 23, 2021 10:30 AM
    Brian Cram
    Hi, Alex. I had a meeting with your guy and MBS ( you were invited but I don't think you joined ). We went through the process and here's what we determined:

    The problem with importing the wildcard certificate into the MVS Toolkit keystore had nothing to do with the fact that it was a wildcard certificate but rather that it was not from a sufficiently-trusted Certificate Authority. The way they got around it was to create a .PEM file that had a sufficiently-trusted certificate followed by the wildcard certificate followed by the private key as follows ( edited for brevity and security ):

     

    -----BEGIN CERTIFICATE-----

    MIIFvjCCBKagAwIBAgISAzMCsFkt1ZFCjM1IW9vy3ERVMA0GCSqGSIb3DQEBCwUA

    ( edited )

    ExYXodzx1ZjG4Lr1S0d2S+psKWy41Yqwg8a1/nGKMi5exQ==

    -----END CERTIFICATE-----

    -----BEGIN CERTIFICATE-----

    MIIEZTCCA02gAwIBAgIQQAF1BIMUpMghjISpDBbN3zANBgkqhkiG9w0BAQsFADA/

    ( edited )

    UdHkhVNcsAKX1H7GNNLOEADksd86wuoXvg==

    -----END CERTIFICATE-----

    -----BEGIN RSA PRIVATE KEY-----

    tQ2TKKvqoK/5jWhD50tdZEQVEFJUXVMvmw08TwIDWpVEDZd8+L40y8aAB9FqGX7z

    ( edited )

    bxU8rX3s9YnMMGyp4BiKGPoiDTGsiE9v+vVorcYW3XGOZaPrjlpMcorI6Ugk0Dwj

    -----END RSA PRIVATE KEY-----

     

    The steps for creating the Java Keystore used by the MVS Toolkit were:

     
    1) Aggregate the two certificates and private key into on .PEM file

     

    2) Use OpenSSL to convert the .PEM file to a .PKCS12 file

     

    3) Use the JDK's keytool utility to create an empty keystore file ( .KS )

     

    4) Use the JDK's keytool utility to import that .PKCS12 file into that keystore file ( .KS )

     

    One annoyance is that if there are any failures using OpenSSL and/or keytool, the errors thrown are rather cryptic. This is not a weakness in the Toolkit itself, but rather the third-party open-source utilities: OpenSSL and the JDK ( Java Development Kit ).

     

    The good news is that your resource now knows how to do this easily and will be able to deal with certificate expiration very easily next time.

      Reply to Group Online   View Thread   Post New Message Online  



  • 2.  RE: SSL Certificates

    ROCKETEER
    Posted 04-26-2021 10:38
    Thanks, Alex.

    ------------------------------
    Brian S. Cram
    Principal Technical Support Engineer
    Rocket Software
    ------------------------------