- This topic has 7 replies, 4 voices, and was last updated 3 years, 10 months ago by
.
-
Topic
-
Hi,
I’ve created a TLS1.2 connection to AWS. I’ve been given their cert and that gets loaded ok. But the AWS side requests our cert and my side is not providing it (according to their logs).
These are both private certs. I’ve specified mine in the private key and password sections, but I get the error that it is unable to load Private Key from file.
This is a .der file I created using the create private key function in clover. I do have the secure messaging add on.
Any thoughts are greatly appreciated!!
-
Replies
-
-
I don’t have a lot of experience with this but it is possible your Certificate needs to reside in the keystore file. You may need to execute keytool from the command line.
Here is an example using cert file as input but I think it can also work with der files. Your institution’s security folks may be able to help.
keytool -importcert -file xxx.der -keystore keystore.jks -alias “Alias”
email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.
-
Thank you Jim – this was extremely helpful!
Using keytool I pulled the cert into the .jks file in /home/hci, but it still doesn’t seem to present the cert to the other side.
This is a client ssl connection – where the other side is expecting to receive their cert from us (that works with the cert file entry), then asks for our cert on our machine that we also shared with them.
It appears Clover doesn’t send the cert. Maybe it has to do with this log entry:
__cSocket: >>>> Set SSL Client to Verify NONE…
I’m baffled too – this seems to be a clover thread / AIX setup thing, but your thoughts were helpful – b/c the .jks wasn’t setup yet…
-
What did you select in the Protocol Security Settings?
I think your choices are ClientAnon Client and ClientAuth. I suspect you want Client.
If you would like to interact off-line on this I will try to assist – email me.
email: jim.kosloskey@jim-kosloskey.com 29+ years Cloverleaf, 59 years IT - old fart.
-
Update – I opened a ticket with support on this and they forwarded to development.
Development suggested using tcp/ip rather than pdl. This didn’t work either.
Support then indicated it was new config and to contact account rep for consulting services.
Will update with an answer once found, but the key issue is why clover doesn’t send my cert when requested?
-
-
Update – thanks to Viken Ohannessian and James McPheron – my errors have been corrected.
Things I missed:
- The CA path and file do not need to be from a CA. Put in the path to the file and the filename for the cert you get from your trading partner
- The public key and private key MUST MATCH. And they must be generated from the same keystore entry. We created a keystore entry with Portecle or Keystore explorer and then exported the public and private keys into pkcs12 files
- We then converted the pkcs12 keys into pem files (Clover TLS needs pem), using openssl commands
I hope that helps…
-
-
- You must be logged in to reply to this topic.
