Reputation: 21
apigee key store and certificate upload issues
On my free trial account (cvtf1), I had a key store that is working fine since many months with self signed certificates. I tried today to create a new key store (Bca...) by uploading client key and certificate. But the upload fails with: Upload keys
{
"code" : "messaging.config.beans.CertNotFound",
"message" : "Cert with name : /tmp/extract6784335744378261087.tmp/myCert.pem not found in key store : {1} in env : {2}",
"contexts" : [ ]
}
Please note that I've checked the JAR upload is valid. If I replace my new cert+key with the old one by application the same process (and names), it works fine.
The differences are in the certificates:
Old one working fine:
Public Key Algorithm: rsaEncryption - Public-Key: (1024 bit)
Signature Algorithm: sha1WithRSAEncryption
Valid for ten years
new one - failed:
Public Key Algorithm: rsaEncryption - Public-Key: (2048 bit)
X509v3 extensions:
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage: critical
TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
Valid for one day
I respect the limit of 2048 bits. Is-there any reason why it fails?
Another question: Do you support TLS 1.2 between Apigee Proxy and the target endpoints?
Thanks in advance for your responses.
Regards
Fr
Upvotes: 1
Views: 1842
Answers (5)
Reputation: 21
Topic closed - issue found - extended attribute with OID as long integer is the root cause
Upvotes: 0
Reputation: 21
To all: - In the jar: 2 files => cert and key - Files are myCert.pem and myKey.pem (as specified in META INF / Descriptor) - The built archive works fine with cert and key when 1024 size is used (so I believe my build process is valid) - For cert / key md5 uniqueness: valid. I always check with (openssl x509 -noout -modulus -in myCert.pem | openssl md5 ; openssl rsa -noout -modulus -in myKey.pem | openssl md5) | uniq - thanks for the answer about TLS1.2.
It really seems the issue is about the upload of the cert file. When I upload such a cert, could the "not find" be raised due to constraint on the cert TTL (one day)?
Regards
Fr
Upvotes: 0
Reputation: 11
In your descriptor.properties inside the "jar" did you specify just the certificate file name or the complete path? Can you specify just the certificate and private key file name without the path?
Kind regards,
PB
Upvotes: 1
Reputation: 1025
Apigee Edge currently uses Java 6 which does not support TLS 1.2. Best way to confirm this is try TLSv1 with your new certificate.
Upvotes: 1
Reputation: 66
Apigee Edge supports key sizes up to 2048 bits.
Can you do the following openssl commands to verify if the md5 of the cert and the key are same :
openssl x509 -noout -modulus -in certificate.crt | md5 openssl rsa -noout -modulus -in privateKey.key | md5
If the md5 is the same then the key belongs to the cert.
Upvotes: 1
Related Questions
- Adding certificate to Azure APIM from keyvault
- Missing api key android Cloudinary upload error
- Upload Certificate to App Service from key Vault
- keyStore.getKey() returns NULL
- Apigee API Platform: INVALID_PROXY Error
- Apigee TargetServer fails to configure for SSL
- Invalid API Request for Apigee API
- apigee edge platform: two way ssl
- apigee: where do I correlate the keys with this policy
- Apigee 401 Unauthorized with token_expired