Agent will not start, fails with java.security.cert.CertificateParsingException: signed fields invalid
search cancel

Agent will not start, fails with java.security.cert.CertificateParsingException: signed fields invalid

book

Article ID: 274721

calendar_today

Updated On:

Products

CA Automic Workload Automation - Automation Engine CA Automic One Automation Automic SaaS

Issue/Introduction

The agent cannot start.  It looks like it's something related to the certificate.  The agent log shows something like the following:

20231003/153515.960 - U02000378 Loading certificates from directory: 'C:\Automic\Automation.Platform\Agents\certificates'.
20231003/153515.991 - U02000377 Certificate loaded from file 'jcp.cer'.
20231003/153515.991 - U02000376 Could not parse certificate 'C:\Automic\Automation.Platform\Agents\certificates\certificate_name_01.example.com.pfx'. Please make sure that the certificate is in PEM format.
20231003/153515.991 - java.security.cert.CertificateParsingException: signed fields invalid
20231003/153515.991 - U02000376 Could not parse certificate 'C:\Automic\Automation.Platform\certificates\certificate_name_01.example.com.pfx'. Please make sure that the certificate is in PEM format.
20231003/153515.991 - java.security.cert.CertificateParsingException: signed fields invalid

Environment

Release : 21.0.8

Resolution

It looks like the agent is trying to load a .pfx file:

20231003/153515.991 - U02000376 Could not parse certificate 'C:\Automic\Automation.Platform\Agents\certificates\certificate_name_01.example.com.pfx'. Please make sure that the certificate is in PEM format.
...
20231003/153515.991 - U02000376 Could not parse certificate 'C:\Automic\Automation.Platform\certificates\certificate_name_01.example.com.pfx'. Please make sure that the certificate is in PEM format.

It looks like the agent is trying to load a .pfx file which is a truststore file instead of a certificate.  To resolve this the certification chain should be re-exported from the pkcs12 keystore that the JCP is using.

There are a couple of ways to do this and a security admin should be involved.  Please see below on possible ways:

Keystore Explorer (the one that's not bundled with a jre):

  1. Using Keystore Explorer, open the keystore the JCP uses
  2. Right-click on the alias in the keystore
  3. Choose Export -> Export Certificate Chain
  4. Be sure that the Export Length is set to "Entire Chain" and export the file
  5. Use this file on the agent servers for the certificate.

Using a browser to export the certificate

Another way to get the certificate is to navigate in a browser to the JCP endpoint and export it from the browser.  For instance in chrome:

  1. Navigate to the endpoint in Chrome and click on the lock icon next to https (or if the customer is using a self-signed certificate, click on "Not secure")
  2. Click the arrow next to "Site is secure" or if the customer is using a self-signed certificate, choose the popout from "Certificate is not valid"
  3. Go to the details tab and view the certificate:
  4. Click on the "Export" button in the lower right and save the certificate as a .pem or .crt file

 

Other methods

There are also ways to extract certificates from keystores using openssl and command line, but you'll want to talk to security admin for the best way to do that.  The certificate does need to be in a .pem format rather than .pfx.

One other things to take note of is that the java used to create the JCP's keystore and export the certificate (in case of keystore explorer or command line) need to be the same version and should be either java version 8 or 11, whichever the JCP is using.