SSL Certificate Import to ssa.jks Failed
search cancel

SSL Certificate Import to ssa.jks Failed

book

Article ID: 103467

calendar_today

Updated On:

Products

CA Service Operations Insight (SOI)

Issue/Introduction

I have downloaded some new digi-certs that work with Chrome. I deleted the old certs from the ssa.jks and imported the new ones. I am now getting an error message Unsupported protocol The client and server don't support a common SSL protocol version or cipher suite.

Environment

Release:
Component: SOIMGR

Cause

- The certificate file was in p7b format 
- ssa.jks file only had the certificate and no key

Resolution

1) Open the p7b file that contains the SSL certificates, right click on opened file then convert to x.509 format, the certificates will be extracted in to multiple files in x.509 format.


2) Use the following openSSL command to create a pfx file to add the certificate including the key in to it
     

    NOTE: OpenSSL is a open source third party utility which can be downloaded from internet.
  

    C:\openSSL>openssl pkcs12 -export -out ssa.pfx -inkey <path to>\yourkey.key -in <path to>\your.crt -certfile <path to additional crt>\yoursecond.crt 
  

    NOTE: your.key, your.crt and yoursecond.crt needs to replaced with actual key and crt file names and their path. The crt extension can be crt or cer or something else. 

3) Once the pfx file is created you can create the ssa.jks file and import the certificates and the key in to it. You can   use keytool command from the CA\SOI\jre-64\bin folder to do it
   

     keytool -importkeystore -srckeystore <path to >\ssa.pfx  -srcstoretype pkcs12 -destkeystore <path to>\ssa.jks   -deststoretype jks
   

   Enter destination keystore password: <type catalyst>
   Re-enter new password:<type catalyst>
   Enter source keystore password: <type catalyst>
   

-- Here is what you'll see when the command is successful

   Entry for alias 1 successfully imported.
   Import command completed:  1 entries successfully imported, 0 entries failed or
   cancelled

   NOTE: You'll need to enter the password as catalyst, this is the default password SOI uses. If you change the password to something else then you'll have to make changes to few SOI files to reflect it. Password and Alias name in the       keystore file can always be changed later on using keytool command


4) The ssa.jks created above will contain alias name as 1 and needs to be changed to tomcat using the following command

   keytool -changealias -keystore <path to>\ssa.jks -alias 1
   Enter destination alias name:  tomcat
   Enter keystore password: <type catalyst>