07-01-2014 8:42 PM
I generated a new Client certificate and sent it to Verisign via our enterprise group and I have received a Verisign certificate. When I attempt to "Import Certificate Response", I get the following error (Long text):
Message no. TRUST057
The following issuer certificate is missing from the database or is marked as inactive: CN=Symantec Class 3 Secure Server CA - G4, OU=Syma
Store the issuer certificate in the database (menu function Certificate -> Export -> Database) and make sure that the certificate is not marked as inactive (menu function Certificate -> Database).
How can I import the intermediate/primary certificates to resolve this problem?
07-02-2014 10:25 PM
I proceeded as follows:
07-01-2014 9:16 PM
With sapgenpse you can do it by specifying all the certificates with -r. I haven't used STRUST to do the same but I think you should be able to import the intermediate and root certificate into the PSE before trying to import the certificate response.
07-01-2014 9:27 PM
Thank you for the response. I'm open to trying it.
Could you give me more details about what command/subcommand to use with sapgenpse?
07-01-2014 9:35 PM
To import the certificate response you use the command import_own_cert, see the documentation for details. Specify -c signedcert -r intermediate -r root.
07-02-2014 6:12 PM
bash-3.2$ export SECUDIR=/usr/sap/<SID>/<Instance>/sec
bash-3.2$ sapgenpse import_own_cert -p <PSENAME> -c /tmp/cert.crt -r /tmp/inter.crt -r /tmp/root.crt
import_own_cert: Installation of certificate failed
ERROR in ssf_install_CA_response: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US"
ERROR in ssf_install_certs_into_pse: (1280/0x0500) Incomplete FCPath, need certificate of CA : "CN=Symantec Class 3 Secure Server CA - G4, OU=Symantec Trust Network, O=Symantec Corporation, C=US"
Based on your advice, I think I tried it correctly.
Here is where I downloaded Verisign's Root and Intermediate certs:
07-02-2014 9:36 PM
I guess you don't have the correct root and/or intermediate certificates. You can display each certificate with openssl, the chain has to be intact meaning the subject of the previous certificate has to match the issuer of the latter. You can also try to combine the root and the intermediate certificates in one and use a single -r. I can't help any further without seeing the actual certificate files.
07-02-2014 9:49 PM
07-02-2014 9:52 PM
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
1f:35:ef:32:7c:44:07:34:8d:bd:9a:9e:e7:e2:1f:e7
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4
Validity
Not Before: Jul 1 00:00:00 2014 GMT
Not After : Jul 2 23:59:59 2015 GMT
Subject: <redacted>
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Alternative Name:
DNS:<redacted>
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
User Notice:
Explicit Text: https://d.symcb.com/rpa
X509v3 Authority Key Identifier:
keyid:5F:60:CF:61:90:55:DF:84:43:14:8A:60:2A:B2:F5:7A:F4:43:18:EF
X509v3 CRL Distribution Points:
Full Name:
URI:http://ss.symcb.com/ss.crl
Authority Information Access:
OCSP - URI:http://ss.symcd.com
CA Issuers - URI:http://ss.symcb.com/ss.crt
Signature Algorithm: sha256WithRSAEncryption
07-01-2014 9:31 PM
The UI is also a bit tricky between the left context pain, the top right work area and the bottom right "clipboard" area for imports / exports.
This has tricked me several times before, although I could see the data in the bottom right pain. You still have to save it after uploading it.
Cheers,
Julius
07-02-2014 10:25 PM
I proceeded as follows: