Skip to main content
Solved

Customer SSL certificate import error - IFS APP 10

  • October 5, 2021
  • 4 replies
  • 1043 views
C
Do Gooder (Partner)
Forum|alt.badge.img+2

Hi, we are configuring MW with the certificate (.pfx) provided by the customer.
Currently we are getting an error that does not allow us to advance in the configuration.
We have manually uploaded the CA root in the java repository without success.


Any ideas?

Best answer by ChristianP

Hi at all,

i’ve found the problem.

It was relied to the F1MAGE which is not able to read the Java certificate store so, to verify the true error, F1MAGE must be launched manually and checked (EX. certificate chain absent). Once this is done, you need to load the ROOT and sub-root certificates on the windows side. Once this is done, the certificate will be validated on the F1MAGE side and the configuration can be finished.

Thanks everyone for the ideas

View original
1 Attachments
Did this topic help you find an answer to your question?
This topic has been closed for comments

4 replies

S
Hero (Employee)
Forum|alt.badge.img+9
  • Shan Peiris
  • Hero (Employee)
  • 79 replies
  • October 5, 2021

Hi @ChristianP 

sometimes this may helpful

Wildcard SSL/TLS Certificate Verification Error in App10 | IFS Community

Regards
shan

C
1 person likes this
  • C
    ChristianP
Nimesh Kasun
Hero (Employee)
Forum|alt.badge.img+10
  • Nimesh Kasun
  • Hero (Employee)
  • 112 replies
  • October 5, 2021

Hi @ChristianP,

Please check this KB, it seems the same issue has been explained there.

https://community.ifs.com/technical-issues-101/error-javax-net-ssl-sslhandshakeexception-sun-security-validator-validatorexception-pkix-path-building-failed-9941

/Nimesh

Nimesh | www.linkedin.com/in/nimeshkasun | www.twitter.com/NimeshKasun
C
1 person likes this
  • C
    ChristianP
Charith Epitawatta
Ultimate Hero (Employee)
Forum|alt.badge.img+31

Hi @ChristianP,

Have you tried to reconfigure with a self-signed certificate? If not, please try and see whether you get the same error.

If you are not getting the error with a self signed certificate, then the problem should be with the certificate and you need to create one certificate containing the full chain of trust. For that you can do the following.

  1. Ask the customer to check the files they received for their CSR. There should be 2 or 3 files: the certificate file in one or 2 formats, and a bundle file containing intermediate certificates.  
  2. Using OpenSSL, combine the certificate file, the bundle file and the private key which is generated with the CSR, into one PKCS#12 file(pfx or p12 format).

Eg: openssl pkcs12 -export -out result.pfx -inkey privateKey.key -in certificate.crt -certfile bundle.crt 

Make sure to give the correct file names for the above command. Ideally, this should be done by the customer themselves, because the private key file should not be shared with others. If the bundle file is in p7b format, you need to convert it to crt format before running the above command. 

  1. Install the resulting certificate(result.pfx in above example) as a Trusted Root Certificate Authority on the Application Server host machine.
  2. Using the windows Certificate Manager, export the certificate. 
  3. Use the exported certificate in IFS Installer. 

Hope this helps!

Charith - https://charith.xyz
H
J
durette
5 people like this
  • H
    Hiroshi Perera
  • J
    Jagath Kandambi
  • durette
    durette
  • Jeewaka Padmapriya
    Jeewaka Padmapriya
  • C
    ChristianP
C
Do Gooder (Partner)
Forum|alt.badge.img+2
  • ChristianP
  • Author
  • Do Gooder (Partner)
  • 1 reply
  • Answer
  • October 13, 2021

Hi at all,

i’ve found the problem.

It was relied to the F1MAGE which is not able to read the Java certificate store so, to verify the true error, F1MAGE must be launched manually and checked (EX. certificate chain absent). Once this is done, you need to load the ROOT and sub-root certificates on the windows side. Once this is done, the certificate will be validated on the F1MAGE side and the configuration can be finished.

Thanks everyone for the ideas

Nimesh Kasun
1 person likes this
  • Nimesh Kasun
    Nimesh Kasun
Terms & ConditionsCookie settings

Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings