-
Titolo
Certificate trust issues can occur with mobile browsers and federated service providers when Cloud Access Manager serves up an incomplete certificate chain -
Descrizione
Mobile browsers and federated service providers can fail to trust the CAM SSL certificate if it is sent by the CAM server without accompanying signing certificates and where those certificates are not in the Trusted Certificate Authorities store of the client browser or other consumer. This results in the browser issuing a certificate warning and/or blocking access to the CAM site or the federated trust failing.This has been experienced with the Go Daddy G2 certificate chain and the Salesforce OAuth2 API authentication path, however the issue is not necessarily limited to those two. -
Causa
If a web server sends an incomplete certificate chain the client browser or other consumer needs to perform extra downloads to retrieve the missing certificates to validate the trust chain; desktop browsers do this reliably but mobile browsers or federated service providers may fail, or not even try, depending on their implementation.
-
Risoluzione
Prerequisites:This example uses the OpenSSL tool and Keytool utilities to create a PKCS12 keystore for import into Cloud Access Manager.OpenSSL is available online here: https://www.openssl.org/The Keytool utility is installed with the Cloud Access Manager proxy and can be found at C:\Program files\Dell\Cloud Access Manager Proxy\j2sdk\jre\binYou will also need to have access to the proxy server's file system.
Steps:Note: This has to be done for a proxy that has a certificate individually. One can not be copied to another.
1 - Export the existing signed this-server certificate from the Cloud Access Manager proxy cacerts keystore as a PFX - you will be asked for the Source keystore password to complete this task, it is "changeit"; this contains the certificate and private key:keytool -v -importkeystore -srckeystore cacerts -srcalias this-server -destkeystore thisserver.p12 -deststoretype PKCS12
The location of the cacerts keystore is "C:\Program Files\Dell\Cloud Access Manager Proxy\j2sdk\jre\lib\security\cacerts"
2 - Convert the PKCS12 to PEM format - keeping the private key intact:
openssl pkcs12 -in thisserver.p12 -out thisserver.pem -nodes -clcertsBefore adding the required Certificate Authority root and/or intermediate certificate(s) to the chain it may be necessary to convert them to PEM format – only perform this step if the certificates are NOT already in PEM format (e.g. you have a CRT or CERT file) or you will corrupt your chain:
openssl x509 -in trusted_ca.cer -inform DER -out trusted_ca.pemThe trusted_ca.pem file should be saved in the directory openssl is run from in the cmd prompt. If you cannot find it,please try specifying a directory e.g.openssl x509 -in trusted_ca.cer -inform DER -out c:\temp\trusted_ca.pem3 - Concatenate the PEM files into a single file on the command line:
type thisserver.pem trusted_ca.pem >> thisserverchain.pem4 - Create the PKCS12 keystore (in this example the private key is already contained in the PEM so there is no need to use the -inkey option but if your private key is separate then add '-inkey filename.key' to this command):
openssl pkcs12 -export -in thisserverchain.pem -out thisserverchain.p12This keystore can now be uploaded to Cloud Access Manager using the ‘Import PKCS12/PFX file’ option on the Manage Certificates page of Settings in the Admin UI. The updated certificate will replace your existing certificate if one is already installed.
-
Informazioni aggiuntive
The trusted_ca.cer file referenced is the intermediate certificate that is provided by your issuer. It gets converted to a .pem file which can be read by the type command. Afterwards it gets converted back to a pkcs12 file so it can be imported into Cloud Access Manager.