Problem with the Certificate Export
search cancel

Problem with the Certificate Export

book

Article ID: 50541

calendar_today

Updated On:

Products

Cleanup Datacom DATACOM - AD CIS COMMON SERVICES FOR Z/OS 90S SERVICES DATABASE MANAGEMENT SOLUTIONS FOR DB2 FOR Z/OS COMMON PRODUCT SERVICES COMPONENT Common Services CA ECOMETER SERVER COMPONENT FOC Easytrieve Report Generator for Common Services INFOCAI MAINTENANCE IPC UNICENTER JCLCHECK COMMON COMPONENT Mainframe VM Product Manager CHORUS SOFTWARE MANAGER CA ON DEMAND PORTAL CA Service Desk Manager - Unified Self Service PAM CLIENT FOR LINUX ON MAINFRAME MAINFRAME CONNECTOR FOR LINUX ON MAINFRAME GRAPHICAL MANAGEMENT INTERFACE WEB ADMINISTRATOR FOR TOP SECRET Xpertware Top Secret Top Secret - LDAP Top Secret - VSE

Issue/Introduction

Description:

The following commands have been executed:

TSS GENCERT(PROD) DIGICERT(DC01) SUBJECTN('CN="DC01-AN2010" - 
C="FR" ST="PARIS" L="PARIS" O="PARIS" OU="RBIS"') - 
KEYSIZE(2048)

TSS GENREQ(PROD) DIGICERT(DC01) - 
DCDSN(HQL.TSSADMIN.DC01) LABLCERT('DC01')

Then the dataset 'HQL.TSSADMIN.CDC01' have been sent to a superior trusted authority, to sign it. After signing, the certificate have been added into TSS as it follows:

TSS REM(PROD) DIGICERT(DC01)

TSS ADD(PROD) DIGICERT(DC01) - 
DCDSN(HQL.TSSADMIN.DC01) TRUST 
TSS ADD(PROD) KEYRING(KRPROD01) RINGDATA(PROD,DC01) - 
USAGE(PERSONAL) TRUST DEFAULT

After executing the above TSS commands above, the application was no longer working. The following error message was received:

Funtion <gsk_secure_socket_init> : Error GSK 428 (Key entry does not contain a private key).

Solution:

By doing the following the following, the private key will be lost:

TSS GENCERT(PROD) DIGICERT(DC01) SUBJECTN('CN="DC01-AN2010" - 
C="FR" ST="PARIS" L="PARIS" O="MY PARIS" OU="RBIS"') - 
KEYSIZE(2048)

TSS GENREQ(PROD) DIGICERT(DC01) - 
DCDSN(HQL.TSSADMIN.DC01) LABLCERT('DC01') 
TSS REM(PROD) DIGICERT(DC01)

TSS ADD(PROD) DIGICERT(DC01) - 
DCDSN(HQL.TSSADMIN.DC01) TRUST 
TSS ADD(PROD) KEYRING(KRPROD01) RINGDATA(PROD,DC01) - 
USAGE(PERSONAL) TRUST DEFAULT

When you do the TSS GENREQ to get the certificate signed, the private key is not exported as part of the PKCS10 package build and put into the dataset.

It is not a bug. It is suppose to be this way. The private key remains on the security file.

The private key gets reconnected to the certificate when they add it back to the security file, after its been signed.

Because deleting DC01 with the following command:

TSS REM(PROD) DIGICERT(DC01)

Before re-adding the signed certificate back, is losing the private key. It cannot be re-covered. You have to generate a new certificate.

You have to add the newly signed certificate under a different DIGICERT name because CA Top Secret will not allow you to add a certificate back using the same DIGICERT name. The commands need to be adjusted to something like the following example:

  1. TSS GENCERT(PROD) DIGICERT(TEMPCERT) SUBJECTN('CN="DC01-AN2010" -
    C="FR" ST="PARIS" L="PARIS" O="MY PARIS" OU="RBIS"') -
    KEYSIZE(2048)

  2. TSS GENREQ(PROD) DIGICERT(TEMPCERT) -
    DCDSN(HQL.TSSADMIN.DC01) LABLCERT('TEMPCERT')

  3. TSS ADD(PROD) DIGICERT(DC01) -
    DCDSN(HQL.TSSADMIN.DC01) TRUST

  4. TSS REM(PROD) DIGICERT(TEMPCERT) <- now that the certificate has been re-added and the private key reconnected, the temporary certificate can be deleted. Not required, but optional.

If you need the private key exported, you should use one of the PKCS12xxx formats. Example:

TSS EXPORT(CERTAUTH) DIGICERT(GROUP) DCDSN(HQL.TSSADMIN.DC01.PKCS12DER) - 
FORMAT(PKCS12DER)

Otherwise, the private key WILL NOT get exported. Password should be specify using PKCSPASS() option on EXPORT command.

Generally, you don't want to export Certificate Authorities with their private key if you are the owner of the certificates, because they can use your certificate authority to sign other certificates. But if they need to export the private key, they can.

Environment

Release:
Component: AWAGNT
Powered by Wolken Software