Manual verification of certificate chain of trust
In B2B integration, we often encounter the requirement to handle certificates for use in SSL, encryption or authentication. The certificates normally come in the form of a chain of trust, and need to be imported in PI’s NWA to be used in the configuration of the interfaces.
This blog illustrates a quick way to manually verify a certificate chain of trust, which can be easily done using the certificate keystore functionality of the Windows OS.
The example will use a chain that consists of 3 certificates (1 end-server certificate, 1 intermediate CA certificate and 1 root CA certificate) in the following tree structure:-
Internal Root CA
–> Internal Gold CA1
Before importing the CAs into the trusted keystore
When the certificate files are opened, it will display the message that the certificate cannot be verified.
1) End-server certificate
The certificate below is the end-server certificate which has been issued by Internal Gold CA1.
2) Intermediate CA certificate
However, Internal Gold CA1 (the intermediate CA certificate) is not a trusted certificate. Opening this file will also display the message that the certificate cannot be verified.
This intermediate CA certificate is issued by Internal Root CA.
3) Root CA certificate
Internal Root CA certificate is also not trusted. When the file is opened, it will indicate that the root is not trusted.
The root certificate is a self-signed certificate (issued by itself – Internal Root CA.)
Note: If there are more than 1 intermediate CA, repeat the second step to find the next higher intermediate CA until the root CA is reached.
Import CA certificates into trusted keystore
Now we import the CA certificates into the keystore.
1) Root CA certificate
The root CA certificate (Internal Root CA) is imported into the Trusted Root Certification Authorities store.
Select Yes to trust the Root CA certificate.
2) Intermediate CA certificate
After the root CA has been imported and trusted, if we open the intermediate CA file, it can now be verified successfully.
Subsequently, we also import the intermediate CA (Internal Gold CA1) into the Intermediate Certification Authorities keystore.
3) End-server certificate
After both the root and intermediate CA certificates have been imported and trusted, now when we open the end-server certificate, we can see that verification is successfull. The Certification Path tab also provides the tree structure of the certificate chain.
With this, we have successfully verified that this set of certificates in the example are valid, and the chain of trust can be established from the end-server to the trusted root.
Using this handy approach, we can verify that the received certificates are valid and the chain of trust can be established. This can be done even before importing into PI and conducting end-to-end testing. This will help to eliminate incorrect certificates or incomplete chains even before any development or configuration work is done.
After the manual verification is done, the certificates can be imported into NWA. The following document details the steps to achieve that:-