Introduction

In B2B integration, we often encounter the requirement to handle certificates for use in SSL, encryption or authentication. The certificates normally come in the form of a chain of trust, and need to be imported in PI’s NWA to be used in the configuration of the interfaces.

This blog illustrates a quick way to manually verify a certificate chain of trust, which can be easily done using the certificate keystore functionality of the Windows OS.

Example

The example will use a chain that consists of 3 certificates (1 end-server certificate, 1 intermediate CA certificate and 1 root CA certificate) in the following tree structure:-

Internal Root CA

–> Internal Gold CA1

–> b2bgateway.****.net

Before importing the CAs into the trusted keystore

When the certificate files are opened, it will display the message that the certificate cannot be verified.

1) End-server certificate

The certificate below is the end-server certificate which has been issued by Internal Gold CA1.

/wp-content/uploads/2014/06/end_cert_483288.png

2) Intermediate CA certificate

However, Internal Gold CA1 (the intermediate CA certificate) is not a trusted certificate. Opening this file will also display the message that the certificate cannot be verified.

This intermediate CA certificate is issued by Internal Root CA.

/wp-content/uploads/2014/06/intca_cert_483289.png

3) Root CA certificate

Internal Root CA certificate is also not trusted. When the file is opened, it will indicate that the root is not trusted.

The root certificate is a self-signed certificate (issued by itself – Internal Root CA.)

/wp-content/uploads/2014/06/rootca_cert_483305.png

Note: If there are more than 1 intermediate CA, repeat the second step to find the next higher intermediate CA until the root CA is reached.

Import CA certificates into trusted keystore

Now we import the CA certificates into the keystore.

1) Root CA certificate

The root CA certificate (Internal Root CA) is imported into the Trusted Root Certification Authorities store.

/wp-content/uploads/2014/06/import_root_483307.png

Select Yes to trust the Root CA certificate.

/wp-content/uploads/2014/06/install_483308.png

2) Intermediate CA certificate

After the root CA has been imported and trusted, if we open the intermediate CA file, it can now be verified successfully.

/wp-content/uploads/2014/06/intca_ok_483310.png

Subsequently, we also import the intermediate CA (Internal Gold CA1) into the Intermediate Certification Authorities keystore.

/wp-content/uploads/2014/06/import_intca_483309.png

3) End-server certificate

After both the root and intermediate CA certificates have been imported and trusted, now when we open the end-server certificate, we can see that verification is successfull. The Certification Path tab also provides the tree structure of the certificate chain.

/wp-content/uploads/2014/06/end_verified_483311.png /wp-content/uploads/2014/06/cert_ok_483313.png

With this, we have successfully verified that this set of certificates in the example are valid, and the chain of trust can be established from the end-server to the trusted root.

Summary

Using this handy approach, we can verify that the received certificates are valid and the chain of trust can be established. This can be done even before importing into PI and conducting end-to-end testing. This will help to eliminate incorrect certificates or incomplete chains even before any development or configuration work is done.

Additional Reference

After the manual verification is done, the certificates can be imported into NWA. The following document details the steps to achieve that:-

Adding Certificates to PI

To report this post you need to login first.

Be the first to leave a comment

You must be Logged on to comment or reply to a post.

Leave a Reply