AIX

power-server-operatingsystems.png

Operating Systems

The core of your mission-critical workloads: AIX, IBM i, and Enterprise Linux

power-ISV-Solutions1.png

ISV Solutions

Stay up to date with key capabilities running on POWER such as SAP

Business Continuity

Learn how to keep critical processes running and adapt quickly with PowerHA

power-infrastructure-security.png

Power Security

Protect your most sensitive data anywhere in your hybrid cloud

Virtualization

Check here for virtualization and management needs: HMC & CMC, PowerVC, and PowerVM

Open Source

Join our open source efforts within the IBM Power Systems portfolio

Enterprise Infrastructure as a Service

Achieve business growth with agility and flexibility with our enterprise IaaS in Power Virtual Server

Programming Languages

The hub for Programming Languages

Expand all | Collapse all

Error importing CA-certificate and testing

  • 1.  Error importing CA-certificate and testing

    Posted 3 days ago

    Hi Guys
    We have imported a CA-Certificate following IBM's doc at https://www.ibm.com/support/pages/ibm-aix-import-ca-certificate
    How can we test it on our test server before we roll it out to PROD environment if cert import was successful and functional. The test server does not have any connectivity to outside world.

    Further more I am getting error while I verify the cert.
    root@aixlab:/var/ssl/certs# openssl verify ZscalerRootCertificate-2048-SHA256.pem
    ZscalerRootCertificate-2048-SHA256.pem: C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = support@zscaler.com
    error 18 at 0 depth lookup:self signed certificate
    OK
    root@aixlab:

    root@aixlab:/var/ssl/certs# openssl verify ZscalerRootCertificate-2048-SHA256.crt
    ZscalerRootCertificate-2048-SHA256.crt: C = US, ST = California, L = San Jose, O = Zscaler Inc., OU = Zscaler Inc., CN = Zscaler Root CA, emailAddress = support@zscaler.com
    error 18 at 0 depth lookup:self signed certificate
    OK
    root@aixlab:/var/ssl/certs#

    Thanks
    Riz



    ------------------------------
    Rizwan Khaliq
    ------------------------------


  • 2.  RE: Error importing CA-certificate and testing

    Posted 2 days ago
    Edited by Mayank Sharma 2 days ago
    Hi Rizwan,

    Have you put your certificate under trusted path (/var/ssl/certs) and generated the link for the hash value as given in the link -https://www.ibm.com/support/pages/ibm-aix-import-ca-certificate ?

    I have not seen any issue with verifying self signed certificate. 
    For example - 

    1. Created self signed certificate using following commands (In your case, you have imported it) -
    openssl genrsa -out private_key.pem 2048
    openssl req -new -x509 -key private_key.pem -out certificate.pem -days 3650 -sha1 -subj "/C=US/O=KAR/OU=BAN/CN=mayank"
    # openssl x509 -in certificate.pem -text -noout | egrep "Issuer|Subject"
    Issuer: C=US, O=KAR, OU=BAN, CN=mayank
    Subject: C=US, O=KAR, OU=BAN, CN=mayank

    2. copy certificate.pem to /var/ssl/certs

    3. Calculate certificate's hash value - 
    # openssl x509 -noout -hash -in certificate.pem
    9f5cb542

    4. Create a symbolic link for the hash value
    ln -s /var/ssl/certs/certificate.pem /var/ssl/certs/9f5cb542.0

    5. Run openssl verify command to verify the self signed certificate -
    # openssl verify certificate.pem
    certificate.pem: OK


    For more details regarding "error 18 at 0 depth lookup:self signed certificate", you can find the details in the official openssl documentation -

    https://www.openssl.org/docs/man1.0.2/man1/openssl-verify.html 

    18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate

    the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.


    Let us know if you need any further details.

    Thanks 
    Mayank


  • 3.  RE: Error importing CA-certificate and testing

    Posted 2 days ago
    Hi Rizwan,

    Have you put your certificate under trusted path (/var/ssl/certs) and generated the link for the hash value as given in the link -https://www.ibm.com/support/pages/ibm-aix-import-ca-certificate ?

    I have not seen any issue with verifying self signed certificate. 
    For example - 

    1. Created self signed certificate using following commands (In your case, you have imported it) -
    openssl genrsa -out private_key.pem 2048
    openssl req -new -x509 -key private_key.pem -out certificate.pem -days 3650 -sha1 -subj "/C=US/O=KAR/OU=BAN/CN=mayank"
    # openssl x509 -in certificate.pem -text -noout | egrep "Issuer|Subject"
    Issuer: C=US, O=KAR, OU=BAN, CN=mayank
    Subject: C=US, O=KAR, OU=BAN, CN=mayank

    2. copy certificate.pem to /var/ssl/certs

    3. Calculate certificate's hash value - 
    # openssl x509 -noout -hash -in certificate.pem
    9f5cb542

    4. Create a symbolic link for the hash value
    ln -s /var/ssl/certs/certificate.pem /var/ssl/certs/9f5cb542.0

    5. Run openssl verify command to verify the self signed certificate -
    # openssl verify certificate.pem
    certificate.pem: OK


    For more details regarding "error 18 at 0 depth lookup:self signed certificate", you can find the details in the official openssl documentation -

    https://www.openssl.org/docs/man1.0.2/man1/openssl-verify.html 

    18 X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: self signed certificate

    the passed certificate is self signed and the same certificate cannot be found in the list of trusted certificates.


    Let us know if you need any further details.

    Thanks 
    Mayank

    ------------------------------
    Mayank Sharma
    ------------------------------