Are Full Chain SSL Certificates supported?
This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
I cannot get my full chain certificate to be accepted by the Omada Controller UI.
The controller UI does accept my single cert + private key in PEM format, but refuses to accept the corresponding full chain cert + private key with the error message "Failed to verify certificate file."
I would strongly prefer the full chain cert instead of the single entity.
I also tried conversion to pfx, but can't get any PFX files accepted. I'm seeing log errors with the PFX cert, but not the PEM certs:
java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
I can confirm full chain certs do work. I now have full chain certificates working in both JKS and PFX format (it still looks like PEM does not).
I am using SSL certificates generated by certbot from Let's Encrypt, so I'm using fullchain.pem and privkey.pem as the basis for generating PFX and JKS certificates.
It looks like PFX can be generated directly from the PEM files via the following command:
openssl pkcs12 -export -legacy -inkey privkey.pem -in fullchain.pem -out certificate_legacy.pfx -name eap -passout pass:tplink
I also have a longer sequence of commands to generate a comparable JKS file:
# Source files
FULLCHAIN="${RENEWED_LINEAGE}/fullchain.pem"
PRIVKEY="${RENEWED_LINEAGE}/privkey.pem"
# Created Files
PFX_CERT="${RENEWED_LINEAGE}/certificate.pfx"
KEYSTORE="${RENEWED_LINEAGE}/certificate.jks"
# Parameters
TEMPKEY=tempkey
PASS=tplink
rm -vf "${PFX_CERT}" "${KEYSTORE}"
openssl \
pkcs12 -export \
-inkey "${PRIVKEY}" \
-in "${FULLCHAIN}" \
-out "${PFX_CERT}" \
-name eap \
-passout "pass:${PASS}"
# Create fresh Keystore with seeded with a temp key to be deleted
keytool \
-genkey \
-keyalg RSA \
-alias "${TEMPKEY}" \
-keystore "${KEYSTORE}" \
-dname "CN=Nobody, OU=Nthing, O=Noone, L=Nowhere, S=Nohow, C=US" \
-storepass "${PASS}" \
-keypass "${PASS}"
# Delete the temp key, empty keystore remains
keytool -delete -alias "${TEMPKEY}" -keystore "${KEYSTORE}" -storepass "${PASS}"
# Merge the PFX Certificate + key into the Keystore
keytool \
-v \
-importkeystore \
-srckeystore "${PFX_CERT}" \
-srcstoretype PKCS12 \
-srcstorepass "${PASS}" \
-destkeystore "${KEYSTORE}" \
-deststoretype JKS \
-deststorepass "${PASS}"- Copy Link
- Report Inappropriate Content
Hello @ragejage ,
Let me confirm if you mean it will work properly if you import the file which only contains the private key and public key.
But if you import the file which contains the private key, public key and the Chain, it won't work. Am I correct?
- Copy Link
- Report Inappropriate Content
@Hank21 For PEM files, that is correct.
I am particularly interested in getting at least the intermediate certificate added to the server responses so that tools (e.g. curl, wget) that do not have the capability to lookup an intermediate certificate will still be able to do SSL verification.
Success:
privkey.pem: (private key)
cert.pem: (my public key)
Subject: CN=omada.ragejage.com
Issuer: C=US, O=Let's Encrypt, CN=R3
Error:
privkey.pem (private key)
fullchain.pem: (my public key, the intermediate cert, and the root cert)
[0] Subject: CN=omada.ragejage.com
Issuer: C=US, O=Let's Encrypt, CN=R3
[1] Subject: C=US, O=Let's Encrypt, CN=R3
Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
[2] Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1
Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1
I also have not been able to get a PFX file that should be comparable to my PEM success case to succeed. I am suspicious about my PFX file format / encryption algorithms given the error message I am seeing in the diagnostic logs.
- Copy Link
- Report Inappropriate Content
Hi @ragejage
To better assist you, I've created a support ticket via your registered email address, and escalated it to our support engineer to look into the issue. The ticket ID is TKID230311385, please check your email box and ensure the support email is well received. Thanks!
- Copy Link
- Report Inappropriate Content
@Hank21 I have received the support ticket. Many thanks for your help so far.
- Copy Link
- Report Inappropriate Content
I can confirm full chain certs do work. I now have full chain certificates working in both JKS and PFX format (it still looks like PEM does not).
I am using SSL certificates generated by certbot from Let's Encrypt, so I'm using fullchain.pem and privkey.pem as the basis for generating PFX and JKS certificates.
It looks like PFX can be generated directly from the PEM files via the following command:
openssl pkcs12 -export -legacy -inkey privkey.pem -in fullchain.pem -out certificate_legacy.pfx -name eap -passout pass:tplink
I also have a longer sequence of commands to generate a comparable JKS file:
# Source files
FULLCHAIN="${RENEWED_LINEAGE}/fullchain.pem"
PRIVKEY="${RENEWED_LINEAGE}/privkey.pem"
# Created Files
PFX_CERT="${RENEWED_LINEAGE}/certificate.pfx"
KEYSTORE="${RENEWED_LINEAGE}/certificate.jks"
# Parameters
TEMPKEY=tempkey
PASS=tplink
rm -vf "${PFX_CERT}" "${KEYSTORE}"
openssl \
pkcs12 -export \
-inkey "${PRIVKEY}" \
-in "${FULLCHAIN}" \
-out "${PFX_CERT}" \
-name eap \
-passout "pass:${PASS}"
# Create fresh Keystore with seeded with a temp key to be deleted
keytool \
-genkey \
-keyalg RSA \
-alias "${TEMPKEY}" \
-keystore "${KEYSTORE}" \
-dname "CN=Nobody, OU=Nthing, O=Noone, L=Nowhere, S=Nohow, C=US" \
-storepass "${PASS}" \
-keypass "${PASS}"
# Delete the temp key, empty keystore remains
keytool -delete -alias "${TEMPKEY}" -keystore "${KEYSTORE}" -storepass "${PASS}"
# Merge the PFX Certificate + key into the Keystore
keytool \
-v \
-importkeystore \
-srckeystore "${PFX_CERT}" \
-srcstoretype PKCS12 \
-srcstorepass "${PASS}" \
-destkeystore "${KEYSTORE}" \
-deststoretype JKS \
-deststorepass "${PASS}"- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 654
Replies: 5
Voters 0
No one has voted for it yet.