Troubleshooting
Problem
When using sudo cert-import to import a new SSL certificate to IBM Resilient the command fails with an error,
"Certificate reply does not contain public key for <co3>" "Failed to establish chain from reply"
Cause
The reason for this error is because the private key in the /crypt/certs/keystore does not match the private key that was used to create the Certificate Signing Request (CSR) and thus the signed SSL certificate.
This can happen in a few scenarios:
- The CSR was created externally to IBM Resilient and the private key used is not present in /crypt/certs/keystore
- When importing the private key and all certificates as detailed in Importing a PEM certificate with private key but there is a problem with the files
- Repurposing an existing SSL certificate to /crypt/certs/keystore
Diagnosing The Problem
Check that the CSR and certificate are from the same private key.
Export the private key from /crypt/certs/keystore as detailed in How can I extract my private key from IBM Resilient?
Print the md5 hash of the SSL Certificate modulus:
$ openssl x509 -noout -modulus -in CERTIFICATE.crt | openssl md5
Print the md5 hash of the CSR modulus:
$ openssl req -noout -modulus -in CSR.csr | openssl md5
Print the md5 hash of the Private Key modulus:
$ openssl rsa -noout -modulus -in PRIVATEKEY.key | openssl md5
The values returned from these commands must be the same. In the case of the error message the modulus for the certificate and the private key are different.
Resolving The Problem
Find out how the CSR was created, how the CSR was signed, and so forth.
If the CSR was created externally to IBM Resilient, then obtain the private key from whomever signed the CSR and check that the modulus matches the certificate. Then, use Importing a PEM certificate with private key to import the certificates along with the private key.
Ultimately, running sudo cert-req and creating a new CSR, which is then signed ensures that the private key in /crypt/certs/keystore matches the public key in the CSR so the modulus values are consistent.
Related Information
Document Location
Worldwide
[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSIP9Q","label":"IBM Security SOAR"},"ARM Category":[{"code":"a8m0z000000cvqUAAQ","label":"Security SSL"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Version(s)"}]
Was this topic helpful?
Document Information
Modified date:
10 October 2023
UID
ibm16346846