Reputation: 534
Error when creating Server Certificate - X509 Certificate Based Authentication in IBM Worklight 6.2
I am developing a project in IBM Worklight 6.2 targeting Android and IOS. My project should use X509 Certificate based authentication. I am using Windows 7 OS, and following this PDF to
- Create Root CA
- Create Signing CA
- Create Server Certificate
- Create certificate chain for the server certificate
- Export a PKCS12 file for the signing CA
- Export a PKCS12 file for the server certificate
I have installed openssl-0.9.8h-1-setup in windows, so I got openssl.cnf inside C:\Program Files (x86)\GnuWin32\share. With the help of this config file, I have successfully created Root CA. Next when I am trying to sign the Signing CA, it throws the message. The command and the messages are as follows:
openssl ca -in signingca\signing_ca.csr -out signingca\signing_ca.crt -keyfile rootca\root_ca_key.pem -cert rootca\root_ca.crt -config openssl.cnf -name root_authority_ca_config -extensions signing_authority -md sha512 -days 365 -passin pass:passRoot
Using configuration from openssl.cnf
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
commonName :PRINTABLE:'Development Signing CA'
The mandatory countryName field was missing
With this message it creates the signs the Signing CA.
Next I am trying to create the server certificate, where it shows the error message. The code and the error message are as follows:
#REM Sign the CSR with the signing CA
openssl ca -in server\server.csr -out server\server.crt -keyfile signingca\signing_ca_key.pem -cert signingca\signing_ca.crt -config openssl.cnf -name signing_authority_ca_config -extensions server_identity -md sha512 -days 365 -passin pass:passSigning
It throws the following message, and it is unable to sign the Server CA.
Using configuration from openssl.cnf
unable to load certificate
4716:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting:
TRUSTED CERTIFICATE
I need to know how to solve this!
Upvotes: 1
Views: 4284
Answers (1)
Reputation: 1225
The second error appears because the Root CA certificate failed to be properly generated, so it is saying that it could not find a trusted certificate for it, so after you fix the first error the other ones should work.
The first error happens because something is missing in your openssl.cnf file. In your configuration, you have to specify which fields are optional for you and which are required. As shown in slide 18 in the User Certificate Authentication Getting started guide, you specify each one in the policy_match section like this:
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
localityName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
Make sure you add all the configuration options specified in each of the separate slides to your openssl.cnf, or alternatively, use the openssl.cnf supplied in the provided sample project that has all the configuration already there.
Upvotes: 5
Related Questions
- unable to find valid certification path to requested target(sun.security.provider.certpath.SunCertPathBuilderException: )
- Worklight Adapter Mutual SSL
- Worklight 6.2 Developer Server - Self Signed SSL
- Worklight 6. 2 App on Blackberry Z10 cannot connect to WL server error CERT_EXPIRY
- Worklight 6.0 application using SSL
- HTTPS Connection to Worklight Server 6.2
- X509 Certificate Based Authentication in IBM Worklight 6.1
- IBM Worklight 6.1 - Runtime: Http request failed: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
- Worklight: Canno access the WL server over https where CA certificate is setup
- IBM Worklight 6.0 - Native Android app unable to connect when using HTTPS