Service Manager Certificate TOOL

Hi,

I don't seem to be able to regenerate the certificates. We're going from 9.60 to 9.70 and need to regen certs. They are also outdated.

So. I want to do the self-sign thingy the most simple way. Server, Loadbalanced Server and Web-tier, nothing else.

It seems I'm stuck at the very first step

- Exporting the private root CA key

38410000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported:crypto\evp\evp_fetch.c:354:Global default library context, Algorithm (RC2-40-CBC : 0), Properties ()

I don't get it. Should I get rid of some certs first? Where is this RC2-40-CBC comming from. In set-params I have the following:

set CA_KEY_OPTS=-keyalg RSA -keysize 2048
set CERT_KEY_OPTS=-keyalg EC -keysize 256

I already tried with JRE 1.7 x86 and 1.6 x64 as well. No idea what I should try next. Support refuses to help, they say certificates aren't their scope. Partner is not willing to create "local" certs, we should deal with it. Last time I did this it was 10 years ago.

Please help.

BR,

Dávid

  • Suggested Answer

    0

    eh. Let me answer that for me.

    openssl is nowadays at ~ 3.x.x

    Sh1tty encryption, like the one CertTOOL (KM03769268) is not really accepted anymore, so you will have to do some adjustments on openssl.

    So.. what you need is legacy as so called "provider"

    reinstall your openssl. If you are a windows fella it'll probably end up in Program Files\OpenSSL x64 or something like that. This is the first point that is missleading: please run "openssl version -a" and you'll see lines like

    OPENSSLDIR: "C:\Program Files\Common Files\SSL"
    ENGINESDIR: "C:\Program Files\OpenSSL\lib\engines-3"
    MODULESDIR: "C:\Program Files\OpenSSL\lib\ossl-modules"

    yes. it doesn't give a sh1t that you installed into "OpenSSL x64" or whatever. So eighter you mingle with environment variables or copy the whole bin and lib directories to the location returned by the above command.

    After that it's openssl.cnf time... Where to find it? Ask openSSL! "openssl version -d"

    C:\Program Files\OpenSSL-Win64\bin>openssl version -d
    OPENSSLDIR: "C:\Program Files\Common Files\SSL"

    Now, this is the exact openssl.cnf you need. Add**** (hold ON, do not just simply ADD, read below) the following lines:

    [openssl_init]
    providers = provider_sect

    # List of providers to load
    [provider_sect]

    [provider_sect]
    default = default_sect
    legacy = legacy_sect

    [default_sect]
    activate = 1

    [legacy_sect]
    activate = 1

    *** : you'll look for every section [] respectively and extend the lines... just avoid duplicates.

    Theory is that you set a provider_sect if not set by default. This sectuon has 2 options default and legacy... Also these two have to be separatly activated >> activate = 1.

    AND now you can play with the Certificate TOOL. But only after doing this stuff.

    Have fun!

    öcsi out