Troubleshooting
Problem
Administrators who install custom SSL certificates on Cloud Pak for Security can use this article to troubleshoot and verify common certificate issues.
Symptom
The SSL Certificate not verifying correctly can cause data source outages, communication issues between Cloud Pak for Security and the data source where applications cannot communicate by using the API.
A certificate issue can cause UI outages, or communication issues with backend services.
Environment
Diagnosing The Problem
Read SSL certificate
From the SSH command line, type:
openssl x509 -in cert.cert -text -noout
Note: All the certificate information is displayed.Unable to Get Issuer Certificate
- From the SSH command-line run:
openssl verify -CAfile cert.pem cert.cert
cert.cert cert.cert: DC = <info>, DC = <info>, CN = <Subject of the previous member of the certificate chain>error 20 at 1 depth lookup:unable to get issuer certificate
- Review the certificate used by Cloud Pak for Security.
Note: The certificate must have a.cert, .crt, .pem, or .der
file extension. - Confirm that the certificate is now verifying correctly by running the command:
openssl verify -CAfile cert.pem cert.cert
- The output of the command when the certificate verifies correctly:
cert.cert: OK
- Extract the certificate
- To extract a PCKS7 certificate:
- Navigate to the folder where the pkcs7 resides.
- To extract the certificate, run the command:
openssl pkcs7 -in certificate.p7b -inform PEM -print_certs -outform PEM -out chain_certificate.pem
- Copy the certificate to a safe location.
- To Extract a PCKS12 certificate:
- Navigate to the folder where the .pfx certificate file resides.
- To extract the certificate, run the command:
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt
- Copy the certificate to a safe location.
- To extract a PCKS7 certificate:
Invalid Subject within SSL certificate
- Confirm the Console FQDN:
openssl x509 -in cert.cert -text -noout | grep -i cn | grep Subject
The output displays the subject that verifies the certificate:
Subject: CN=<FQDN the certificate verifies>
- Confirm the FQDN of the data source:
hostname -f
- Resolving FQDN and Subject inconsistency.
- Contact your certificate authority (Recommended)
We recommend that you contact your certificate authority and request a new certificate with the "Subject: CN" that corresponds to the Console FQDN. You must then replace the current invalid SSL certificate with the newly acquired correct SSL certificate.
- Create a Multi-Domain (SAN) SSL certificate. If you are required to access the Console from an alternate Domain, then you can create a SAN SSL certificate.
Note: Multi-Domain SSL certificates are only applicable for Public Domains if you are using a public certificate authority, a Public certificate authority cannot sign a nonpublic Domain. For example, '.local'.
- Contact your certificate authority (Recommended)
Expired Certificate
- From the SSH command-line run:
openssl verify -CAfile cert.pem cert.cert
cert.cert: C = <info>, O = <info>, CN = <Subject of the previous member of the chain> error 10 at 0 depth lookup:certificate has expired
- To confirm the expiration of the certificate, type
openssl x509 -in cert.cert -text -noout | grep -A2 Validity
Validity Not Before: <Certificate issue date> Not After: <Certificate expiration date>
Note: If you installed an Intermediate Certificate, you need to confirm the expiration for the intermediate file too.
- Resolution for an expired certificate.
You need to contact your certificate authority and request a new certificate bundle. Then, install the new certificate chain.
Resolving The Problem
Domain name and TLS certificates covers: domain name (DN) requirements, certificate requirements, wildcard certificates, creating your own CA, generating a TLS certificate with OpenSSL, and certificate replacement.
When needed, the cp4s certificate can be replaced.
PKI FAQ:
- Root CA only. For example, one level for the Root CA.
No such requirement for root CA only. See updating your Cloud Pak for Security TLS certificates for instructions. - CRL support with LDAP, HTTP, HTP
Algorithm support:
TLS 1.3 – needs to the following extensions (OpenSSL):-
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth,serverAuth
-
- On
KeyUsage
are there limitations?
OnExtKeyUsage
, requires serverAuth.
WARNING: especially when a cluster cert is used, might have issues withKeyUsage
andExtKeyUsage
. - Certificate validity period?
Maximum 398 days
- Certificates must use SubjectAltNames, such as DNS name and not IPs?
IP does not work:- There is no route
- Applications returning URLs with hostname
Related Information
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m3p0000000rbnAAA","label":"Support-\u003EAdministration Task"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.10.0"}]
Was this topic helpful?
Document Information
Modified date:
25 May 2023
UID
ibm16991401