openssl CAS cert issue

ahmed.gadi · ‎06-13-2011

Hi faisel,

I have gone through your document which you gave me when i opened TAC case with you as well as on CSC.

Today i was at customer site and generated certificate using openssl according to your document.

CAS IP is 10.100.100.101

CAM IP is 10.100.222.101

after downloading cert folder from CAS using winscp, i got 3 files

1.June11Certificate.crt

2.June11PrivateKey

3.June11Certificate.csr

I tried to install June11Cerificate.crt on CAS from local drive (downloaded files from CAS) and got error as follow

Encountered error while initialinzing SSL connections...Unable to connect to manager,HTTP/1.1/403 access denied No trusted certificate found

Check attached process i used to generate certificate with openssl and error message i got as mentioned above.

Please let me know how can i solve this issue ?

Regards

Ahmed...

Federico Lovison · ‎06-14-2011

Hi Ahmed,

The certificates you signed from the CAS CLI using OpenSSL are self-signed.

If you issue a cert for the CAS and one for the CAM in this way (each issued to the respective Service IP), on top of importing these certs on the respective devices under the "X509 certificate" page, you should also install the CAM cert on the CAS among the "Trusted Certificate Authorities" page and vice-versa.

In the end you will have:

* CAS:

- X509 Certificate: CAS cert (public + private key)

- Trusted Certificate Authorities : CAM cert (public key only)

* CAM:

- X509 Certificate: CAM cert (public + private key)

- Trusted Certificate Authorities : CAS cert (public key only)

I hope this helps.

Regards,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

ahmed.gadi · ‎06-14-2011

Hi Federico,

I already have CAM cert in Trusted Authorities in CAS, since its default perfigo and has validity till 2033, so i didnt generate openssl cert on CAM, i just generated on CAS as cert was expiring.

As per my understanding, i should generate openssl cert on CAS and install on CAS first under (X509 Cert section) and then go to CAM and import it , please correct me if i am wrong.

Thanks & Regards

Ahmed...

Federico Lovison · ‎06-14-2011

Hi Ahmed,

yes, that is correct and it will allow the CAM to validate the CAS certificate.

Make sure that also the opposite direction is configured, meaning the the CAS is able to validate the CAM certificate.

What type of cert do you have on the CAM?

Even there a Self-Signed cert?

Is this cert (for the CAM) installed on the CAS' Trusted Certificate Authority?

Thanks,

Federico

--

If this answers your question please mark the question as "answered" and rate it, so other users can easily find it.

ahmed.gadi · ‎06-14-2011

Hi,

yes it is self signed from CAM and yes it is lying in CAS under trusted Certificate Authority.

What i was trying to do that, after genearting cert on CAS---

First installed on CAS and then was suppose to import CAS cert on CAM.

but i got the mentioned error while installing CAS generated cert on CAS itslef so i could not go ahead with importing it to CAM.

But when i genearted temporary cert from CAS GUI and import to CAM it is working okay and can communicate with each other (CAS n CAM) and shows the new expiry date.

please let me know if you need some output or real files which was generated after openssl procedure on CAS.

Regards

Ahmed...