AES 3rd Party Certificate, Intermediate and Root - Invalid Certificate chain

[mattKnight]

Morning,
AES 8.0.1 patch 2
I'm struggling with adding a 3rd part signed certifcate to an AES server.
CSR was generated from a different server as I need (strongly prefer) a SAN entry in certificates and there is no way to generate a CSR from the GUI with a SAN. I'm also required to include an email address in the DN / subject.

CSR is signed by an intermediate certificate. I have both this intermediate and the root CA available
I've tested the signed certificate P12 file on a "spare" web-server and, ignoring the obvious hostname mis-matches, it works well.

When I try to apply this certificate to the relevant AES server I receive an "Invalid Certificate Chain" error.
1) I've added and confirmed that the intermediate root and the root CA are in the Trusted Certificates store on the AES
2) I've done a stare and compare of the new certificate and other certficates in use on other AES servers. The differences are
[ul]
[li]Working certs do not have an intermediate root. IOW are signed directly by the root CA[/li]
[li]Working certs only have a simple DN of CN=FQDN. Non working has a full DN (CN, OOU,O,L,st,c,EMAILADDRESS) applied[/li]
[li]Working certs do not have a SAN. Non working has a SAN (DNS:FQDN,DNS:hostname,IP:ipaddr)
[/ul]

Because the error message is "Invalid Certificate Chain" I'm guessing that the AES is struggling with teh use of an intermediate certificate, but I can find no documents that define the requirements (or restrictions) for an AES certificate.

Anybody have any ideas on how to fix this or am I stuck with having to use a certificate signed directly by the CA (which is for many reasons a poor solution)?

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.

 

[kyle555]

are the intermediate and root cert in the p12 chain?

Despite AES trusting those CAs, Are the 2 CA certs in the p12?

There's openssl to deconstruct and reconstruct that.

I know with the SBC that I open a notepad, paste the intermediate pem -----BEGIN CERTIFICATE------- to --------END CERTIFICATE--------- and then underneath paste the root ca, save it as a single pem, and use that for the CA cert for the pem/key I'm importing to the SBC.

maybe openssl tearing apart the key, the cert, the ca certs, and rewrapping it into a p12 with a single CAcert of a pem text file with the 2 certs in there would help.
Or, same thing, but specifying 2 CAcerts when creating the p12 would help.

That's what I'd try

 

[G van Hamburg]

Using keystore explorer to do that is alo a good option. Makes it more visible.

Freelance Certified Avaya Aura Engineer

 

[mattKnight]

I've had to move on with this - I raised a CSR from the AES GUI with the Emnail attribute (CN,OU,O,L,st,c,EMAILADDRESS). Examining the CSR shows that the EMAILADDRESS attribute was removed (CN, OOU,O,L,st,c)
I got an exception toi teh reuqirement for an email address from the authority and the signe certifcate uploaded ok.

As the certifcate chain is indentical to the previous attempt, I reckon the intermediate CA was not the issue and therefore either the EMAILADDRESS attribute in the DN or usinga SAN was the issue. As i said, I'm not really able to spend anymore time on making this work (with a SAN and email attribvute) right now; although I'd like to know in the longer term

G van Hamburg - I tend to use the java keytool for most manipulations

Thanks for all the help

Tek-Tips

Tek-Tips Forums is an intelligent work forum community for Information Technology professionals.

www.tek-tips.com

Take Care

Matt
I have always wished that my computer would be as easy to use as my telephone.
My wish has come true. I no longer know how to use my telephone.