Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Network Certificate Import Problem / p12 or copy and paste of cert / private key

Created: 18 Apr 2013 | 3 comments
bgee's picture

Hi there,

over the last year i used some free Class1 Certificate from StartCom SSL for my Universal Server running 3.2.x in our Lab Environment , in march 2013 this certificate for the Network Interface expired so i fetched a new one with same conditions from StartCom but in 3.30_MP1 im not able to import copy/paste like :

 

BEGIN Cert
,,,,,,,,,,,,,,
END Cert
BeginPrivateKey
,,,,,,,,,,,,,
EndPrivateKey

optional with or without Passphrase protected , i tried also to import both things combined as .p12 , i enter the passphrase but "nothing" happens, no error message e.g. could not import , if i just for fun enter wrong passphrase then it says "wrong passphrase".

im about to test this on CLI with pgpkeymaint tool, i think it can be imported there too.

I wonder if someone else of you had those problems in 3.3.0_MP1 . Last year i imported the certificate copy/pasted as described above , but this time im not able to do this.

Side_Question : this universal is running standalone , if you have cluster running and want to exchange ssl certificates during the cluster is running i think the cluster gets broken or? are there any recommended steps if yuo have a cluster running and those members are using for sure the SSL certificate currently assigned to the interface for their :444 communication , perhaps cluster has to be opened again , or perhaps shutting down each cluster member and exchanging like "standalone" and then let them communicate again? just as side question perhaps there's some KB also .

in my case here,  i experience the behaviour when trying to exchange on standalone or on cluster , i just dont see any "error" in the log , strange,

regards
ben

Operating Systems:

Comments 3 CommentsJump to latest comment

Arif.Khan's picture

Generate a new certiicate signing request and get that signed from StartCom SSL again, Once finshed import that certificate as pksc12 format to Universal server. Also about Cluster, Both UN servers will have diffrenct TLS certificates ,

 

 

Arif

Please mark posts as solutions if that helps you resolve the issue.

bgee's picture

If using CSR, the private key stays in Universal, so only the .PEM would be imported, or renamed as .CRT the final certificate, so it wont be PKCS12 format.

i tested this last week too but didnt work, so i decided to generate both externally on StartCom SSL and tried via copy/paste (key + certificate) or combined as final PKCS12 file,

i wonder why copy/paste worked in older 3.2.x version,

So if you have a running cluster , you would exchange the certifictae the same way during running cluster? the cluster communication would stop shortly during the change of the interface's certificate then.

at the moment i just want to import first, assigning will happen later. it's just strange why no message is coming e.g. "import wrong" or whatever...

 

Will try again with CSR and let you know,

 

regards

ben

bgee's picture

generated CSR again , again after signing by StartCOM SSL it wasnt accepted as certificate, it said "check admin log" , but admin log was empty .

 

i then used the same CSR and fetched a 30days trial SSL cert by GeoTrust, this time the import worked.

 

So something is wrong here with the gained certificate.

 

The funny thing is : 1year ago i fetched exact a same certificate from StartCOM SSL and i still got that old expired SSL certificate and best thing would be to compare the old expired with the new one and also the GeoTrust one so see what are the differences...

 

regards
benjamin