User interface error

Have you ever encountered similar problems during the n-time tryout of the SSL signing process?

# openssl rsa -in cakey.pem -out cakey.pem
Enter pass phrase for cakey.pem:
User interface error
unable to load Private Key
26116:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:403:

or...

# ./CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
User interface error
unable to load CA private key
26676:error:0906A068:PEM routines:PEM_do_header:bad password read:pem_lib.c:403:
Signed certificate is in newcert.pem

This is a single-echo-pill solution.

ad. 1

# echo | openssl rsa -in cakey.pem -out cakey.pem
Enter pass phrase for cakey.pem:
writing RSA key

ad. 2

# printf "y\ny\n"| ./CA.pl -sign
Using configuration from /usr/lib/ssl/openssl.cnf
Enter pass phrase for ./demoCA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
[...]
Sign the certificate? [y/n]:

1 out of 1 certificate requests certified, commit? [y/n]Write out database with 1 new entries
Data Base Updated
Signed certificate is in newcert.pem

Enjoy.

Directory Server SSL Certificate

Recently, I've added the article about SSL configuration of Sun Java Commmunications Suite components (link).
Today I want to expand its content with Directory Server SSL preparation.

DS comes with self-signed certificate (it's valid for a period of three months). It name's defaultCert, and by defalt allow for secure connections through the port 636.
It's stored in alias directory under the instance path:

book [/]# ls /instances/ds1/alias
certmap.conf secmod.db slapd-cert8.db slapd-key3.db


book [/instances/ds1/alias]# dsconf get-server-prop -D cn=dirmgr ssl-rsa-cert-name
Enter "cn=dirmgr" password:  
ssl-rsa-cert-name  :  defaultCert

book [/]# /opt/SUNWdsee/ds6/bin/dsadm list-certs /instances/ds1/
Alias        Valid from        Expires on        Self-signed?  Issued by                                              Issued to  
-----------  ----------------  ----------------  ------------  -----------------------------------------------------  --------------  
defaultCert  2009/03/18 12:28  2009/06/18 12:28  y             CN=book,CN=636,CN=Directory Server,O=Sun Microsystems  Same as issuer  
1 certificate(s) found

book [/instances/ds1/alias]# /usr/sfw/bin/certutil -L -P slapd- -d .
defaultCert                                                  CTu,u,u

But, I want to use the same one as with other COMMS components - Server-Cert - issued by CA.

book [/instances/ds1/alias]# dsadm import-cert /instances/ds1/ /root/SSL/VeriSign.cert.pkcs12 
Enter the PKCS#12 file password:
The Directory Server will need to be restarted before being able to use the new certificate.
book [/instances/ds1/alias]# dsadm stop /instances/ds1
Directory Server instance '/instances/ds1' stopped
book [/instances/ds1/alias]# dsadm start /instances/ds1
Directory Server instance '/instances/ds1' started: pid=25150
book [/instances/ds1/alias]# /usr/sfw/bin/certutil -L -P slapd- -d .
defaultCert                                                  CTu,u,u
Server-Cert                                                  u,u,u

Now i have to change default rsa certificate name, within the DS configuration:

book [~]# dsconf set-server-prop -p 389 -D cn=dirmgr ssl-rsa-cert-name:Server-Cert
Enter "cn=dirmgr" password:  
Before setting SSL configuration, export Directory Server data. 
Do you want to continue [y/n] ?  y
Directory Server must be restarted for changes to take effect.

Restart DS one more time.

That's all folks.

book [~]# dsconf get-server-prop -p 389 -D cn=dirmgr ssl-rsa-cert-name
Certificate "CN=[...]" presented by the server is not trusted.
Type "Y" to accept, "y" to accept just once, "n" to refuse, "d" for more details: Y
Enter "cn=dirmgr" password:  
ssl-rsa-cert-name  :  Server-Cert  

SSL: be prepared

Before you could start with SSL changes on application level of configuration, you have to prepare certificate and its database.
First the certificate should be converted from PEM to PKCS#12 format.

# openssl pkcs12 -export -in cert.pem -inkey key.rsa -out cert.pkcs12 -name Server-Cert

cert.pem - certificate taken from Certificate Authority (CA), either local or public (Thawte, Verisign, other)
key.rsa - private key used to sign the Certificate Signing Request (CSR)
cert.pkcs12 - pkcs#12 output file
Server-Cert - you could use any other, but in the most cases it's a default certificate name (alias) used within SSL configuration, ex.

 
# configutil -o encryption.rsa.nssslpersonalityssl
Server-Cert

Messaging Server

Initialize certificate database:

# msgcert generate-certDB
Choose the Certificate Database password:
Confirm the Certificate Database password:

It lead to creation of database files: cert8.db, key3.db, secmod.db and sslpassword.conf - plain text file, used to store software token (password provided during the generation process).
Initialization has created the self-signed certificate, with Server-Cert alias name.
Before we start the import, we have to remove it unless different cert name will be used.

# msgcert remove-cert Server-Cert
Enter the certificate database password:
book [/opt/sun/comms/messaging64/config]# msgcert list-certs
Enter the certificate database password:
Alias  Valid from  Expires on  Self-signed?  Issued by  Issued to  
-----  ----------  ----------  ------------  ---------  ---------  
0 certificates found

Now, let's eat some certificates.

# msgcert import-cert /root/SSL/cert.pkcs12
Enter the PKCS#12 file password:
Enter the certificate database password:

Voile!

If there's a need of rollback to self-signed certificate or renew the expired one, use the similar commads:

# msgcert add-selfsign-cert -S "CN=mail.wisnios.com" Server-Cert

# msgcert renew-selfsign-cert Server-Cert

Errors:

· Internal error: NSS error (SEC_PKCS12DecoderUpdate) in importCert:
security library: improperly formatted DER-encoded message. (-8183)
Failed to import the certificate

The certificate file has not been converted from PEM to PKCS#12
(use openssl pkcs12 -export)


· A certificate with the same alias already exists in the database.
Failed to import the certificate

The previously created (self-signed) certificate has not been removed
(use msgcert remove-cert)


Web Server

We could use the same converted file to feed the web server database.

[/var/opt/SUNWwbsvr7/https-mail.wisnios.com/config]
# /opt/SUNWwbsvr7/bin/pk12util -i /root/SSL/cert.pkcs12 -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 
Enter password for PKCS12 file: 
pk12util: PKCS12 IMPORT SUCCESSFUL

[/var/opt/SUNWwbsvr7/https-mail.wisnios.com/config]
# certutil -L -d .
Server-Cert                                                  u,u,u

The triple 'u' means that certificate could be used for authentication (SSL, email) and object signing.

The self-signed cert could be generated with wadm administration command:

wadm> create-selfsigned-cert --config=mail.wisnios.com --server-name=mail.wisnios.com \
--nickname=Server-Cert --token=internal
CLI201 Command 'create-selfsigned-cert' ran successfully

Application Server (Glassfish)

The same trick with appsvr.

[/opt/SUNWappserver/domains/domain1/config]
# pk12util -i /root/SSL/cert.pkcs12 -d .

[/opt/SUNWappserver/domains/domain1/config]
# certutil -L -n Server-Cert -d .

To change the default instance ssl configuration, follow those steps:

[https://appserver:4848]

Configurations:
    default-config:
        HTTP Service:
            http-listener-2: (switch to right panel)

[right panel]
SSL:
    Certificate NickName: Server-Cert (replace the default s1as entry)

Good luck.