AIA-Call with a SHA256 SSL certificate

Posted by Malte von Loh on 20-May-2016 07:10

Hello,

we are using a 10.1b AppServer with AIA to transfer data over the internet (https). It worked fine for the last two years. But now we have to replace the old SSL certificate with a newer one (both from thawte).

After changing the certificate we can't connect to the AIA any longer.
"Secure Socket Layer (SSL) failure. error code -54: unable to get local issuer certificate (9318)".

I found this article into the knowledgebase:

http://knowledgebase.progress.com/articles/Article/Does-OpenEdge-10-x-or-11-x-support-SHA-2-signed-certificates

I tried to connect the AIA with 10.2B08 and 11.5.1 but it's not working.

After my first attempts I found the following article:

http://knowledgebase.progress.com/articles/Article/000043116

Thawte should work without it but I tried to import the corresponding root certificate from https://www.thawte.com/roots/thawte_Primary_Root_CA-G3_SHA256.pem.
Progress stored the certificate into a file named "67495436.0" but an error message told me that the name has to be "6c8c6fec.0".

How do I get OpenEdge to connect with the AIA again?

Thanks for your help and kind regards
Malte von Loh

All Replies

Posted by Anand Adike on 20-May-2016 07:44

It seems that you are importing ROOT CA certificate to the OpenEdge cert store and mentioned that 67495436.0 stored.
 
Have changed Server certificate in $DLC/keys folder? If yes, is the certificate is signed by the imported ROOT CA certificate?
 
If possible, could you please provide the certificate text by executing the following command:
 
proenv> sslc x509 –text –in <file_name>.pem –noout (for server certificate)
proenv>sslc x5090 –text –in 67495436.0 (for ROOT CA certificate)
 
Thanks,
Anand.
 

Posted by Malte von Loh on 20-May-2016 08:50

No change in $DLC/keys folder.

Result for "proenv> sslc x509 –text –in <file_name>.pem –noout":

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            29:d5:3b:95:ba:b6:cd:ed:17:1c:a4:32:8b:dd:2f:6c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=thawte, Inc., OU=Domain Validated SSL, CN=thawte DV SSL SHA256 CA
        Validity
            Not Before: May 10 00:00:00 2016 GMT
            Not After : Jul  9 23:59:59 2018 GMT
        Subject: CN=<website>
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:be:49:05:9e:44:ab:8b:a2:2c:87:74:02:61:e2:
                    02:69:88:bd:a6:14:d3:bc:6f:12:82:41:8a:0c:e8:
                    1d:23:98:0e:48:e4:08:e5:82:eb:14:01:94:8b:c7:
                    e5:1d:95:34:1f:ac:9d:a6:bc:49:cd:bb:83:5d:df:
                    9e:b7:c3:36:81:6f:d8:6c:d0:ea:b5:4c:6f:c7:5d:
                    db:81:f1:dd:51:5c:23:32:97:50:61:2a:3c:2a:95:
                    53:68:8d:17:ee:fb:f8:29:ea:16:ba:15:c6:16:1a:
                    ae:12:14:71:0d:9d:b1:9d:04:71:98:a3:c7:5d:da:
                    3f:90:58:75:4f:97:27:3f:af:43:41:a5:44:9c:16:
                    54:ba:4d:fa:b9:33:df:91:9a:a4:dc:d9:05:e0:22:
                    59:62:4b:44:d2:2f:47:54:c5:8f:bd:3a:3f:dd:e6:
                    b9:8c:a3:48:00:29:01:9c:2e:6f:2d:65:16:36:7d:
                    59:67:f4:b2:09:a2:8b:44:1b:25:6b:9f:19:39:23:
                    bc:aa:fc:f6:ed:20:51:30:33:a4:5f:ff:84:fe:ff:
                    b8:9d:ef:2f:db:53:92:e3:90:73:71:b9:a7:08:14:
                    0d:2a:f2:b3:cc:a0:07:22:b7:8d:58:e1:ce:87:ae:
                    cb:5a:da:8a:c3:a4:aa:eb:72:86:21:fd:88:7a:18:
                    dd:7f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Alternative Name:
                DNS:<website>
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 CRL Distribution Points:
                URI:http://tm.symcb.com/tm.crl

            X509v3 Certificate Policies:
                Policy: 2.23.140.1.2.1
                  CPS: https://www.thawte.com/cps
                  User Notice:
                    Explicit Text: www.thawte.com/repository

            X509v3 Authority Key Identifier:
                keyid:7D:29:31:2F:C1:1E:6E:AE:31:05:6A:B3:EB:1C:CD:A9:DD:AE:80:9A

            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client Authentication
            Authority Information Access:
                OCSP - URI:http://tm.symcd.com
                CA Issuers - URI:http://tm.symcb.com/tm.crt

            1.3.6.1.4.1.11129.2.4.2:
                ...i.g.u....+z
O. ....hp~.....\..=..........T.........F0D. |.b@=....uaU{....h...{..^!..'Z9|. d.Gr.yr.y!.W..4..0M... .t.#...Q$.v.......X......gp
<5.......w...
.....T.........G0E. N;../..........<...T=........g...!...B
,."@.....|,.....3...,6.p.C.u.v.h....d..:...(.L.qQ]g..D.
g..OO.....T.........G0E.!..I...5.n...)..;X..bcz....v,..r... U......x..c....iaB.9.Y.0...(..."
    Signature Algorithm: sha256WithRSAEncryption
        8a:b3:1c:76:31:32:b5:16:87:8d:6a:04:05:a8:47:e4:59:db:
        f7:ee:8f:4f:dc:6d:b1:b1:c5:c8:55:d9:6d:34:e0:d5:7f:4d:
        41:ad:82:0d:b8:77:30:3b:1a:6c:66:36:1d:84:2e:c6:91:86:
        f6:10:7c:f8:c1:29:85:35:ee:79:e3:a5:5c:8b:ac:c7:3c:ed:
        8c:f0:da:65:96:89:08:31:28:29:78:66:25:42:a2:b6:9a:7c:
        ed:33:cd:f2:6b:80:9f:c1:b1:8a:8b:d0:11:97:d5:4d:6f:34:
        b9:4a:76:e6:8c:56:b4:4f:7d:70:46:2e:d1:38:c1:c0:c2:3b:
        a1:dd:77:47:38:e7:eb:72:dc:67:9d:61:ce:a2:5d:f6:6c:90:
        a5:b1:4a:0f:52:e7:a9:78:9e:e9:06:76:32:35:5a:26:a2:f7:
        87:10:a7:f0:dc:09:3f:f3:8b:32:47:36:6b:94:0a:83:49:4e:
        f8:b7:b7:e3:c9:da:cc:a0:41:08:85:fa:21:e8:01:c2:3d:0e:
        c6:da:dd:57:0f:26:91:88:76:fb:93:04:8c:dc:23:b6:90:81:
        67:ac:0a:94:32:22:11:fa:56:ad:ad:e7:ba:a4:dd:ca:73:6e:
        a7:f1:fd:43:55:5d:b4:19:09:4d:aa:62:4f:f3:b4:7f:f1:49:
        6c:a2:ed:b7

Result for "proenv>sslc x509 –text –in 67495436.0":

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            60:01:97:b7:46:a7:ea:b4:b4:9a:d6:4b:2f:f7:90:fb
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3
        Validity
            Not Before: Apr  2 00:00:00 2008 GMT
            Not After : Dec  1 23:59:59 2037 GMT
        Subject: C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (2048 bit)
                Modulus (2048 bit):
                    00:b2:bf:27:2c:fb:db:d8:5b:dd:78:7b:1b:9e:77:
                    66:81:cb:3e:bc:7c:ae:f3:a6:27:9a:34:a3:68:31:
                    71:38:33:62:e4:f3:71:66:79:b1:a9:65:a3:a5:8b:
                    d5:8f:60:2d:3f:42:cc:aa:6b:32:c0:23:cb:2c:41:
                    dd:e4:df:fc:61:9c:e2:73:b2:22:95:11:43:18:5f:
                    c4:b6:1f:57:6c:0a:05:58:22:c8:36:4c:3a:7c:a5:
                    d1:cf:86:af:88:a7:44:02:13:74:71:73:0a:42:59:
                    02:f8:1b:14:6b:42:df:6f:5f:ba:6b:82:a2:9d:5b:
                    e7:4a:bd:1e:01:72:db:4b:74:e8:3b:7f:7f:7d:1f:
                    04:b4:26:9b:e0:b4:5a:ac:47:3d:55:b8:d7:b0:26:
                    52:28:01:31:40:66:d8:d9:24:bd:f6:2a:d8:ec:21:
                    49:5c:9b:f6:7a:e9:7f:55:35:7e:96:6b:8d:93:93:
                    27:cb:92:bb:ea:ac:40:c0:9f:c2:f8:80:cf:5d:f4:
                    5a:dc:ce:74:86:a6:3e:6c:0b:53:ca:bd:92:ce:19:
                    06:72:e6:0c:5c:38:69:c7:04:d6:bc:6c:ce:5b:f6:
                    f7:68:9c:dc:25:15:48:88:a1:e9:a9:f8:98:9c:e0:
                    f3:d5:31:28:61:11:6c:67:96:8d:39:99:cb:c2:45:
                    24:39
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Key Usage: critical
                Certificate Sign, CRL Sign
            X509v3 Subject Key Identifier:
                AD:6C:AA:94:60:9C:ED:E4:FF:FA:3E:0A:74:2B:63:03:F7:B6:59:BF
    Signature Algorithm: sha256WithRSAEncryption
        1a:40:d8:95:65:ac:09:92:89:c6:39:f4:10:e5:a9:0e:66:53:
        5d:78:de:fa:24:91:bb:e7:44:51:df:c6:16:34:0a:ef:6a:44:
        51:ea:2b:07:8a:03:7a:c3:eb:3f:0a:2c:52:16:a0:2b:43:b9:
        25:90:3f:70:a9:33:25:6d:45:1a:28:3b:27:cf:aa:c3:29:42:
        1b:df:3b:4c:c0:33:34:5b:41:88:bf:6b:2b:65:af:28:ef:b2:
        f5:c3:aa:66:ce:7b:56:ee:b7:c8:cb:67:c1:c9:9c:1a:18:b8:
        c4:c3:49:03:f1:60:0e:50:cd:46:c5:f3:77:79:f7:b6:15:e0:
        38:db:c7:2f:28:a0:0c:3f:77:26:74:d9:25:12:da:31:da:1a:
        1e:dc:29:41:91:22:3c:69:a7:bb:02:f2:b6:5c:27:03:89:f4:
        06:ea:9b:e4:72:82:e3:a1:09:c1:e9:00:19:d3:3e:d4:70:6b:
        ba:71:a6:aa:58:ae:f4:bb:e9:6c:b6:ef:87:cc:9b:bb:ff:39:
        e6:56:61:d3:0a:a7:c4:5c:4c:60:7b:05:77:26:7a:bf:d8:07:
        52:2c:62:f7:70:63:d9:39:bc:6f:1c:c2:79:dc:76:29:af:ce:
        c5:2c:64:04:5e:88:36:6e:31:d4:40:1a:62:34:36:3f:35:01:
        ae:ac:63:a0
-----BEGIN CERTIFICATE-----
MIIEKjCCAxKgAwIBAgIQYAGXt0an6rS0mtZLL/eQ+zANBgkqhkiG9w0BAQsFADCB
rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV
BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0wODA0MDIwMDAwMDBa
Fw0zNzEyMDEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3Rl
LCBJbmMuMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNlcnZpY2VzIERpdmlzaW9u
MTgwNgYDVQQLEy8oYykgMjAwOCB0aGF3dGUsIEluYy4gLSBGb3IgYXV0aG9yaXpl
ZCB1c2Ugb25seTEkMCIGA1UEAxMbdGhhd3RlIFByaW1hcnkgUm9vdCBDQSAtIEcz
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsr8nLPvb2FvdeHsbnndm
gcs+vHyu86YnmjSjaDFxODNi5PNxZnmxqWWjpYvVj2AtP0LMqmsywCPLLEHd5N/8
YZzic7IilRFDGF/Eth9XbAoFWCLINkw6fKXRz4aviKdEAhN0cXMKQlkC+BsUa0Lf
b1+6a4KinVvnSr0eAXLbS3ToO39/fR8EtCab4LRarEc9VbjXsCZSKAExQGbY2SS9
9irY7CFJXJv2eul/VTV+lmuNk5Mny5K76qxAwJ/C+IDPXfRa3M50hqY+bAtTyr2S
zhkGcuYMXDhpxwTWvGzOW/b3aJzcJRVIiKHpqfiYnODz1TEoYRFsZ5aNOZnLwkUk
OQIDAQABo0IwQDAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjAdBgNV
HQ4EFgQUrWyqlGCc7eT/+j4KdCtjA/e2Wb8wDQYJKoZIhvcNAQELBQADggEBABpA
2JVlrAmSicY59BDlqQ5mU1143vokkbvnRFHfxhY0Cu9qRFHqKweKA3rD6z8KLFIW
oCtDuSWQP3CpMyVtRRooOyfPqsMpQhvfO0zAMzRbQYi/aytlryjvsvXDqmbOe1bu
t8jLZ8HJnBoYuMTDSQPxYA5QzUbF83d597YV4Djbxy8ooAw/dyZ02SUS2jHaGh7c
KUGRIjxpp7sC8rZcJwOJ9Abqm+RyguOhCcHpABnTPtRwa7pxpqpYrvS76Wy274fM
m7v/OeZWYdMKp8RcTGB7BXcmer/YB1IsYvdwY9k5vG8cwnncdimvzsUsZAReiDZu
MdRAGmI0Nj81Aa6sY6A=
-----END CERTIFICATE-----

This thread is closed