Messaging Gateway

Hi,

Well this one has be stumped.

The manual states that from version 9.5 a certificate generated without using the SMG to create the certificate request can be imported into SMG.

I've a x509 (and pkcs7) certificate from Thawte, which i cannot get onto the SMG. i get the "No stored certificate request matches this certificate" error.

However, i'm struggling to find any clear instructions to lead me towards doing this.TECH154806 seems to be doing what i need but it is rather ambiguous to say the least in describing how to actually accomplish it!

So does anyone know of an "idiots guide" for this?

Or should i just cut my losses and purchase another certificate, generating the request through SMG.

"It's far better to be told you can't do something from the start, then to become frustrated with a product because you discover you can't do it later on"

Many thanks,

Steve

The steps given in that document work. The error message you saw usually means the passphrase is still in the .pem file or the RSA shared key is missing.

Sorry for the delay in replying...

I'm an idiot (hence the request for an idiots guide), this is unfamiliar ground for me and i was hoping for a spot of hand holding through this.

So, the upshot is that my certificate is incomplete (in that it doesn't have a private key contained within). I believe that the x509 certificate IS the .pem file, but i wait to be corrected.

I'll whiz back to thawte's website and see if there's more to be pulled from there (it had seemed so simple).

Many thanks,

Steve

I think the primary confusion in the document is that the original private key that was used to generate the Certificate Signing Request (CSR) is needed. Often, the steps used to generate the original CSR are forgotten or some application generated it and did not offer the original private key.

Here's the steps reworked a bit:

You need access to the openssl command which is open source software and comes with most versions of linux; you can likely obtain versions for other OS needs on the internet. You may be able to use another certificate generating software, but our instructions focus on openssl.

You also need the original private key that was used to generate the Certificate Signing Request (CSR). Once generated, the CSR is sent to the Certificate Authority (CA) who uses the CSR with their own private key to generate the finalized certificate which contains information from both private keys. The original private key (yours) will often have a passphrase that you will need in order to generate the necessary unlocked key.

  1. Delete the passphrase from the key used to generate the certificate signing request.

      You can use the following openssl command:

      # openssl rsa -in key.pem -out key-nopass.pem

      where key.pem is the input filename of the key, and key-nopass.pem is the output filename for the key without the passphrase. You will need the original private key passphrase for this step.
   2. Create a new text file.
   3. Copy the certificate you obtained from the Certificate Authority into the new file (the main cert).
   4. Below the certificate, copy the information from step 1 into the new file so it has the contents of both the main cert as well as the key-nopass.pem.
   5. Save the new file locally.
   6. Import the file into the Control Center.

If you do not have the original private key passphrase, you will not be able to complete the steps above (unless it has no passphrase to begin with). The original private key is something that should remain secure, you may want to delete the version without the passphrase when the steps are completed and store the original in a safe place.

Hopefully that helps you complete the steps.