AIX

Hi Guys
We have imported a CA-Certificate following IBM's doc at https://www.ibm.com/support/pages/ibm-aix-import-ca-certificate
How can we test it on our test server before we roll it out to PROD environment if cert import was successful and functional. The test server does not have any connectivity to outside world.

Further more I am getting error while I verify the cert.
root@aixlab:/var/ssl/certs# openssl verify ZscalerRootCertificate-2048-SHA256.pem
ZscalerRootCertificate-2048-SHA256.pem: C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = support@zscaler.com
error 18 at 0 depth lookup:self signed certificate
OK
root@aixlab:

root@aixlab:/var/ssl/certs# openssl verify ZscalerRootCertificate-2048-SHA256.crt
ZscalerRootCertificate-2048-SHA256.crt: C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = support@zscaler.com
error 18 at 0 depth lookup:self signed certificate
OK
root@aixlab:/var/ssl/certs#

Thanks
Riz

------------------------------
Rizwan Khaliq
------------------------------

Hi Rizwan,

Have you put your certificate under trusted path (/var/ssl/certs) and generated the link for the hash value as given in the link -https://www.ibm.com/support/pages/ibm-aix-import-ca-certificate ?

I have not seen any issue with verifying self signed certificate. 
For example - 

1. Created self signed certificate using following commands (In your case, you have imported it) -
openssl genrsa -out private_key.pem 2048
openssl req -new -x509 -key private_key.pem -out certificate.pem -days 3650 -sha1 -subj "/C=US/O=KAR/OU=BAN/CN=mayank"
# openssl x509 -in certificate.pem -text -noout | egrep "Issuer|Subject"
Issuer: C=US, O=KAR, OU=BAN, CN=mayank
Subject: C=US, O=KAR, OU=BAN, CN=mayank

2. copy certificate.pem to /var/ssl/certs

3. Calculate certificate's hash value - 
# openssl x509 -noout -hash -in certificate.pem
9f5cb542

4. Create a symbolic link for the hash value
ln -s /var/ssl/certs/certificate.pem /var/ssl/certs/9f5cb542.0

5. Run openssl verify command to verify the self signed certificate -
# openssl verify certificate.pem
certificate.pem: OK


For more details regarding "error 18 at 0 depth lookup:self signed certificate", you can find the details in the official openssl documentation -

https://www.openssl.org/docs/man1.0.2/man1/openssl-verify.html 

18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate

the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.

Let us know if you need any further details.

Thanks 
Mayank

Hi Rizwan,

Have you put your certificate under trusted path (/var/ssl/certs) and generated the link for the hash value as given in the link -https://www.ibm.com/support/pages/ibm-aix-import-ca-certificate ?

I have not seen any issue with verifying self signed certificate. 
For example - 

1. Created self signed certificate using following commands (In your case, you have imported it) -
openssl genrsa -out private_key.pem 2048
openssl req -new -x509 -key private_key.pem -out certificate.pem -days 3650 -sha1 -subj "/C=US/O=KAR/OU=BAN/CN=mayank"
# openssl x509 -in certificate.pem -text -noout | egrep "Issuer|Subject"
Issuer: C=US, O=KAR, OU=BAN, CN=mayank
Subject: C=US, O=KAR, OU=BAN, CN=mayank

2. copy certificate.pem to /var/ssl/certs

3. Calculate certificate's hash value - 
# openssl x509 -noout -hash -in certificate.pem
9f5cb542

4. Create a symbolic link for the hash value
ln -s /var/ssl/certs/certificate.pem /var/ssl/certs/9f5cb542.0

5. Run openssl verify command to verify the self signed certificate -
# openssl verify certificate.pem
certificate.pem: OK


For more details regarding "error 18 at 0 depth lookup:self signed certificate", you can find the details in the official openssl documentation -

https://www.openssl.org/docs/man1.0.2/man1/openssl-verify.html 

18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate

the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.

Let us know if you need any further details.

Thanks 
Mayank

------------------------------
Mayank Sharma
------------------------------

Original Message:
Sent: Tue July 20, 2021 10:21 AM
From: Rizwan Khaliq
Subject: Error importing CA-certificate and testing

Hi Guys
We have imported a CA-Certificate following IBM's doc at https://www.ibm.com/support/pages/ibm-aix-import-ca-certificate
How can we test it on our test server before we roll it out to PROD environment if cert import was successful and functional. The test server does not have any connectivity to outside world.

Further more I am getting error while I verify the cert.
root@aixlab:/var/ssl/certs# openssl verify ZscalerRootCertificate-2048-SHA256.pem
ZscalerRootCertificate-2048-SHA256.pem: C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = support@zscaler.com
error 18 at 0 depth lookup:self signed certificate
OK
root@aixlab:

root@aixlab:/var/ssl/certs# openssl verify ZscalerRootCertificate-2048-SHA256.crt
ZscalerRootCertificate-2048-SHA256.crt: C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = support@zscaler.com
error 18 at 0 depth lookup:self signed certificate
OK
root@aixlab:/var/ssl/certs#

Thanks
Riz

------------------------------
Rizwan Khaliq
------------------------------