返回
-
标题
How to confirm that the certificate on the cache server is correct. -
说明
How to confirm that the certificate on the cache server is correct.
-
解决办法
First, convert the p12 file that works to PEM format.
> openssl pkcs12 -in mycert.p12 -out mycert.pem
It will prompt for the import password. That's the password on the .p12 file. Then it will prompt twice for a password for the PEM file. You can use the same password for the PEM file as you did for the .p12 file.
Convert the par root cert to PEM format. The parRootCA.crt file was downloaded under the Details tab under User Management for a user of type Cache User. It is downloaded via button “Download TPAM Root Certificate”.
> openssl x509 -in RootCA.crt -inform der -out RootCA.pem
Now, enter the following command:
> openssl s_client -connect <cacheIP>:443 -cert mycert.pem -CAfile RootCA.pem
This will prompt you for the password that you put on the PEM file.
The IP address after -connect is the IP address of the cache server.
This will output quite a bit of information. There should be a list of "Acceptable client certificate CA names". This is the list of trusted root certs installed on the cache server.
Use of the RootCA files is optional. It is only used to avoid certificate verification errors. In the log file, you can see that the list of client certificate CA names is still displayed even without the RootCA file being used.
I also have some information regarding the proper procedure for assigning and unassigning the certificate. You will want to ensure that it is assigned properly to the cache server.
When you upload a trusted root via “Management > Cache Servers > Manage Trusted Roots”, the cert is merely uploaded to and stored in the TPAM console.
If you want to assign an uploaded trusted root to a cache server, do this via “Management > Cache Servers > Manage Cache Servers”, select the appropriate cache server in the Listing tab, then select the Root Certificates tab. Check the Assigned box and Save Changes to have that trusted root installed on the selected cache server. Uncheck the Assigned box and Save Changes to have that trusted root removed from the selected cache server.