IBM Support

Cloud Pak for Security: Troubleshooting Certificates

Troubleshooting


Problem

Administrators who install custom SSL certificates on Cloud Pak for Security can use this article to troubleshoot and verify common certificate issues.

Symptom

The SSL Certificate not verifying correctly can cause data source outages, communication issues between Cloud Pak for Security and the data source where applications cannot communicate by using the API.
A certificate issue can cause UI outages, or communication issues with backend services.

Environment

Diagnosing The Problem

Read SSL certificate

From the SSH command line, type:

openssl x509 -in cert.cert -text -noout
Note: All the certificate information is displayed.
    

Unable to Get Issuer Certificate

  1.  From the SSH command-line run: 
    openssl verify -CAfile cert.pem cert.cert
    Output if there is a missing member of the Chain: 
    cert.cert
cert.cert: DC = <info>, DC = <info>, 
 CN = <Subject of the previous member of the certificate chain>error 20 at 1 depth lookup:unable to get issuer certificate
  2. Review the certificate used by Cloud Pak for Security. 
    Note: The certificate must have a .cert, .crt, .pem, or .der file extension.
  3. Confirm that the certificate is now verifying correctly by running the command:
    openssl verify -CAfile cert.pem cert.cert
  4. The output of the command when the certificate verifies correctly: 
    cert.cert: OK
  5. Extract the certificate
    1. To extract a PCKS7 certificate:
      1. Navigate to the folder where the pkcs7 resides.
      2. To extract the certificate, run the command: 
        openssl pkcs7 -in certificate.p7b -inform PEM -print_certs -outform PEM -out chain_certificate.pem
      3. Copy the certificate to a safe location.
    2. To Extract a PCKS12 certificate:
      1. Navigate to the folder where the .pfx certificate file resides.
      2. To extract the certificate, run the command: 
        openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.crt
      3. Copy the certificate to a safe location.
    

Invalid Subject within SSL certificate

  1. Confirm the Console FQDN:
    openssl x509 -in cert.cert -text -noout | grep -i cn | grep Subject
    The output displays the subject that verifies the certificate:
    Subject: CN=<FQDN the certificate verifies>
  2. Confirm the FQDN of the data source: 
    hostname -f
  3. Resolving FQDN and Subject inconsistency.
    1. Contact your certificate authority (Recommended)
      We recommend that you contact your certificate authority and request a new certificate with the "Subject: CN" that corresponds to the Console FQDN. You must then replace the current invalid SSL certificate with the newly acquired correct SSL certificate. 
       
    2. Create a Multi-Domain (SAN) SSL certificate. If you are required to access the Console from an alternate Domain, then you can create a SAN SSL certificate.

      Note: Multi-Domain SSL certificates are only applicable for Public Domains if you are using a public certificate authority, a Public certificate authority cannot sign a nonpublic Domain. For example, '.local'.
    

Expired Certificate

  1. From the SSH command-line run: 
    openssl verify -CAfile cert.pem cert.cert
    Example output, 
    cert.cert: C = <info>, O = <info>, CN = <Subject of the previous member of the chain>
error 10 at 0 depth lookup:certificate has expired
  2. To confirm the expiration of the certificate, type 
    openssl x509 -in cert.cert -text -noout | grep -A2 Validity
    Example output, 
    Validity
      Not Before: <Certificate issue date>
      Not After: <Certificate expiration date>

    Note: If you installed an Intermediate Certificate, you need to confirm the expiration for the intermediate file too.
     
  3. Resolution for an expired certificate.
    You need to contact your certificate authority and request a new certificate bundle. Then, install the new certificate chain.

Resolving The Problem

Domain name and TLS certificates covers: domain name (DN) requirements, certificate requirements, wildcard certificates, creating your own CA, generating a TLS certificate with OpenSSL, and certificate replacement. 

When needed, the cp4s certificate can be replaced.

PKI FAQ:

  • Root CA only.  For example, one level for the Root CA.
    No such requirement for root CA only. See updating your Cloud Pak for Security TLS certificates for instructions.
  • CRL support with LDAP, HTTP, HTP
    Algorithm support:
    TLS 1.3 – needs to the following extensions (OpenSSL):
    1. ​​keyUsage = nonRepudiation, digitalSignature, keyEncipherment
    2. extendedKeyUsage = clientAuth,serverAuth
  • On KeyUsage are there limitations?
    On ExtKeyUsage, requires serverAuth.
    WARNING: especially when a cluster cert is used, might have issues with KeyUsage and ExtKeyUsage.
  • Certificate validity period?
    Maximum 398 days
  • Certificates must use SubjectAltNames, such as DNS name and not IPs?
    IP does not work:
    1. There is no route
    2. Applications returning URLs with hostname

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTDPP","label":"IBM Cloud Pak for Security"},"ARM Category":[{"code":"a8m3p0000000rbnAAA","label":"Support-\u003EAdministration Task"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.10.0"}]

Document Information

Modified date:
25 May 2023

UID

ibm16991401

Page Feedback