Are Full Chain SSL Certificates supported?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Are Full Chain SSL Certificates supported?

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Are Full Chain SSL Certificates supported?
Are Full Chain SSL Certificates supported?
2023-03-01 06:21:02 - last edited 2023-03-29 08:05:25
Model: OC200  
Hardware Version:
Firmware Version: 2.7.7 Build 20221206 Rel.58608

I cannot get my full chain certificate to be accepted by the Omada Controller UI.

 

The controller UI does accept my single cert + private key in PEM format, but refuses to accept the corresponding full chain cert + private key with the error message "Failed to verify certificate file."

 

I would strongly prefer the full chain cert instead of the single entity.

 

I also tried conversion to pfx, but can't get any PFX files accepted. I'm seeing log errors with the PFX cert, but not the PEM certs:

 java.io.IOException: parseAlgParameters failed: ObjectIdentifier() -- data isn't an object ID (tag = 48)

  0      
  0      
#1
Options
1 Accepted Solution
Re:Are Full Chain SSL Certificates supported?-Solution
2023-03-24 04:19:02 - last edited 2023-03-29 08:05:25

I can confirm full chain certs do work. I now have full chain certificates working in both JKS and PFX format (it still looks like PEM does not).

 

I am using SSL certificates generated by certbot from Let's Encrypt, so I'm using fullchain.pem and privkey.pem as the basis for generating PFX and JKS certificates.

 

It looks like PFX can be generated directly from the PEM files via the following command:

openssl pkcs12 -export -legacy -inkey privkey.pem -in fullchain.pem -out certificate_legacy.pfx -name eap -passout pass:tplink

 

 

I also have a longer sequence of commands to generate a comparable JKS file:

# Source files                                                                                                                                   
FULLCHAIN="${RENEWED_LINEAGE}/fullchain.pem"
PRIVKEY="${RENEWED_LINEAGE}/privkey.pem"

# Created Files                                                                                                                                  
PFX_CERT="${RENEWED_LINEAGE}/certificate.pfx"
KEYSTORE="${RENEWED_LINEAGE}/certificate.jks"

# Parameters                                                                                                                                     
TEMPKEY=tempkey
PASS=tplink

rm -vf "${PFX_CERT}" "${KEYSTORE}"

openssl \
    pkcs12 -export \
    -inkey "${PRIVKEY}" \
    -in "${FULLCHAIN}" \
    -out "${PFX_CERT}" \
    -name eap \
    -passout "pass:${PASS}"

# Create fresh Keystore with seeded with a temp key to be deleted                                                                                
keytool \
    -genkey \
    -keyalg RSA \
    -alias "${TEMPKEY}" \
    -keystore "${KEYSTORE}" \
    -dname "CN=Nobody, OU=Nthing, O=Noone, L=Nowhere, S=Nohow, C=US" \
    -storepass "${PASS}" \
    -keypass "${PASS}"


# Delete the temp key, empty keystore remains                                                                                                    
keytool -delete -alias "${TEMPKEY}" -keystore "${KEYSTORE}" -storepass "${PASS}"

# Merge the PFX Certificate + key into the Keystore                                                                                              
keytool \
    -v \
    -importkeystore \
    -srckeystore "${PFX_CERT}" \
    -srcstoretype PKCS12 \
    -srcstorepass "${PASS}" \
    -destkeystore "${KEYSTORE}" \
    -deststoretype JKS \
    -deststorepass "${PASS}"
Recommended Solution
  1  
  1  
#6
Options
5 Reply
Re:Are Full Chain SSL Certificates supported?
2023-03-02 08:46:25

Hello @ragejage

 

Let me confirm if you mean it will work properly if you import the file which only contains the private key and public key.

But if you import the file which contains the private key, public key and the Chain, it won't work. Am I correct?

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  1  
  1  
#2
Options
Re:Are Full Chain SSL Certificates supported?
2023-03-03 04:47:06

  @Hank21 For PEM files, that is correct.

 

I am particularly interested in getting at least the intermediate certificate added to the server responses so that tools (e.g. curl, wget) that do not have the capability to lookup an intermediate certificate will still be able to do SSL verification.

 

Success:

privkey.pem: (private key)

cert.pem: (my public key)

  Subject: CN=omada.ragejage.com

  Issuer: C=US, O=Let's Encrypt, CN=R3

 

Error:

privkey.pem (private key)

fullchain.pem: (my public key, the intermediate cert, and the root cert)

  [0] Subject: CN=omada.ragejage.com

       Issuer: C=US, O=Let's Encrypt, CN=R3

  [1] Subject: C=US, O=Let's Encrypt, CN=R3

       Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1

  [2] Subject: C=US, O=Internet Security Research Group, CN=ISRG Root X1

       Issuer: C=US, O=Internet Security Research Group, CN=ISRG Root X1

 

I also have not been able to get a PFX file that should be comparable to my PEM success case to succeed. I am suspicious about my PFX file format / encryption algorithms given the error message I am seeing in the diagnostic logs.

  0  
  0  
#3
Options
Re:Are Full Chain SSL Certificates supported?
2023-03-07 08:36:18

Hi  @ragejage 

 

To better assist you, I've created a support ticket via your registered email address, and escalated it to our support engineer to look into the issue. The ticket ID is TKID230311385, please check your email box and ensure the support email is well received. Thanks!

Best Regards! >> Omada EAP Firmware Trial Available Here << >> Get the Latest Omada SDN Controller Releases Here << *Try filtering posts on each forum by Label of [Early Access]*
  1  
  1  
#4
Options
Re:Are Full Chain SSL Certificates supported?
2023-03-07 14:54:29

  @Hank21 I have received the support ticket. Many thanks for your help so far. 

  0  
  0  
#5
Options
Re:Are Full Chain SSL Certificates supported?-Solution
2023-03-24 04:19:02 - last edited 2023-03-29 08:05:25

I can confirm full chain certs do work. I now have full chain certificates working in both JKS and PFX format (it still looks like PEM does not).

 

I am using SSL certificates generated by certbot from Let's Encrypt, so I'm using fullchain.pem and privkey.pem as the basis for generating PFX and JKS certificates.

 

It looks like PFX can be generated directly from the PEM files via the following command:

openssl pkcs12 -export -legacy -inkey privkey.pem -in fullchain.pem -out certificate_legacy.pfx -name eap -passout pass:tplink

 

 

I also have a longer sequence of commands to generate a comparable JKS file:

# Source files                                                                                                                                   
FULLCHAIN="${RENEWED_LINEAGE}/fullchain.pem"
PRIVKEY="${RENEWED_LINEAGE}/privkey.pem"

# Created Files                                                                                                                                  
PFX_CERT="${RENEWED_LINEAGE}/certificate.pfx"
KEYSTORE="${RENEWED_LINEAGE}/certificate.jks"

# Parameters                                                                                                                                     
TEMPKEY=tempkey
PASS=tplink

rm -vf "${PFX_CERT}" "${KEYSTORE}"

openssl \
    pkcs12 -export \
    -inkey "${PRIVKEY}" \
    -in "${FULLCHAIN}" \
    -out "${PFX_CERT}" \
    -name eap \
    -passout "pass:${PASS}"

# Create fresh Keystore with seeded with a temp key to be deleted                                                                                
keytool \
    -genkey \
    -keyalg RSA \
    -alias "${TEMPKEY}" \
    -keystore "${KEYSTORE}" \
    -dname "CN=Nobody, OU=Nthing, O=Noone, L=Nowhere, S=Nohow, C=US" \
    -storepass "${PASS}" \
    -keypass "${PASS}"


# Delete the temp key, empty keystore remains                                                                                                    
keytool -delete -alias "${TEMPKEY}" -keystore "${KEYSTORE}" -storepass "${PASS}"

# Merge the PFX Certificate + key into the Keystore                                                                                              
keytool \
    -v \
    -importkeystore \
    -srckeystore "${PFX_CERT}" \
    -srcstoretype PKCS12 \
    -srcstorepass "${PASS}" \
    -destkeystore "${KEYSTORE}" \
    -deststoretype JKS \
    -deststorepass "${PASS}"
Recommended Solution
  1  
  1  
#6
Options