0

when downloading the certs in pkcs12 format, the root certs are missing even though the root first/last option was set. jks format doesn't have this issue. Is it a bug or as expected?

I tested this behavior is the same with Both API AND Web GUI if downloading manually. See all the details as below.

1. API command used which was generated using the Swagger UI and ran successfully.

curl -X GET "https://serverurl/vedsdk/certificates/Retrieve?CertificateDN=%5C%5CVED%5C%5CPolicy%5C%5CAperture%5C%5Cteam-foldername%5C%5Ccert_fqdn&Format=PKCS%20%2312&Password=certpassword&IncludePrivateKey=true&IncludeChain=true&RootFirstOrder=false&FriendlyName=cert_fqdn&KeystorePassword=storepassword" -H "accept: application/json" -H "Authorization: Bearer b96ba3ef-81f3-6b3e-3815-2a4567e775fa"

2. keystore verification command output right after download. When using this, it failed in application with ssl handshake and untrusted error.

keytool -list -keystore keystorefilename -storepass keystorepassword -storetype PKCS12
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 1 entry

key_alias, 24-Jul-2020, PrivateKeyEntry,
Certificate fingerprint (SHA1): 1A:4C:AC:33:D7:2F:E1:09:F2:16:33:EA:04:21:7D:4F:58:42:06:F9


3. after runing keytool import to import the root certs. I could see now it has two more entries for trust certs.

[vagrant@rhel7 certs]$ keytool -list -keystore keystorefilename -storepass keystorepassword -storetype PKCS12
Keystore type: PKCS12
Keystore provider: SunJSSE

Your keystore contains 3 entries

cn=root1, 24-Jul-2020, trustedCertEntry,
Certificate fingerprint (SHA1): E6:8D:6F:77:BF:00:AF:F8:27:4B:A8:C2:16:81:B0:8E:1C:67:3B:A3
cn=root2, 24-Jul-2020, trustedCertEntry,
Certificate fingerprint (SHA1): 12:56:6C:2A:6C:26:FA:2E:36:0C:74:FC:D6:56:AA:5B:45:EB:A0:4C
key_alias, 24-Jul-2020, PrivateKeyEntry,
Certificate fingerprint (SHA1): 1A:4C:AC:33:D7:2F:E1:09:F2:16:33:EA:04:21:7D:4F:58:42:06:F9

4. As direct comparison, here is the same API, downloading the same certificate in JKS format which does NOT have the same missing root cert problem as PKCS12 format.

curl -X GET "https://serverurl/vedsdk/certificates/Retrieve?CertificateDN=%5C%5CVED%5C%5CPolicy%5C%5CAperture%5C%5Cteam-foldername%5C%5Ccert_fqdn&Format=JKS&Password=certpassword&IncludePrivateKey=true&IncludeChain=true&RootFirstOrder=false&FriendlyName=cert_fqdn&KeystorePassword=storepassword" -H "accept: application/json" -H "Authorization: Bearer bde9ab2f-0eec-4f9f-32fe-972ff9773af6"

[vagrant@rhel7 ~]$ keytool -list -keystore keystorefilename -storepass keystorepassword -storetype JKS
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 3 entries

cn=root1, dc=hbeu, dc=adroot, dc=hsbc, 24-Jul-2020, trustedCertEntry,
Certificate fingerprint (SHA1): E6:8D:6F:77:BF:00:AF:F8:27:4B:A8:C2:16:81:B0:8E:1C:67:3B:A3
cn=root2, 24-Jul-2020, trustedCertEntry,
Certificate fingerprint (SHA1): 12:56:6C:2A:6C:26:FA:2E:36:0C:74:FC:D6:56:AA:5B:45:EB:A0:4C
key_alias, 24-Jul-2020, trustedCertEntry,
Certificate fingerprint (SHA1): 1A:4C:AC:33:D7:2F:E1:09:F2:16:33:EA:04:21:7D:4F:58:42:06:F9

 

5. Our TPP version info:

You are currently connected to server "servername" and it has Venafi Trust Protection Platform version 20.1.1.8830 installed.
The database schema version is 20.1.0.0.0.0 and was installed on 5/15/2020 10:20 AM (-04:00 UTC)

3 comments

Please sign in to leave a comment.