topic Re: Cretificate Update Test in Administration and Deployment

Cretificate Update Test

Mushy — Tue, 23 Apr 2024 09:56:30 GMT

Hello,

I have recieved three certificates root, intermediate and the server certificate to apply in the Linux server.

How do i verify the validity/correctness of the existing certificate, before applying new certificates?

Thanks,

Mushy

Re: Cretificate Update Test

gwootton — Wed, 24 Apr 2024 18:01:35 GMT

You can use openssl commands to check a certificate against a key and against a certificate authority.

For example:

#Check if key matches certificate, these modulus would match.
openssl rsa -noout -modulus -in server.key
openssl x509 -noout -modulus -in server.crt

# Check if a certificate is valid for a given CA/Intermediate.
openssl verify -CAfile root.crt -untrusted intermediate.crt server.crt

Re: Cretificate Update Test

Mushy — Thu, 25 Apr 2024 08:10:30 GMT

@gwootton Thanks for the guidance!

Re: Cretificate Update Test

Rahulmahajan129 — Tue, 10 Dec 2024 17:38:28 GMT

@gwootton , could you please help with steps how we can apply this certificates ?

Re: Cretificate Update Test

Acf2 — Tue, 10 Dec 2024 18:47:29 GMT

Similar issue. Do we know what mechanism SAS Deployment Manager uses to validate .pem files ? We have added a new root certificate but the intermediate chain.pem and .pem files are being rejected as not Base-64.

No validation details are being written to %SASHOME%\InstallMisc\InstallLogs\certframe_wx6_certadd_2024-12-09-13.45.29.log

Both certutil.exe -verify and openssl.exe rsa -modulus are accepting the format but not sasdm.exe. Waiting to hear from SAS TS.
I think the documentation at SAS Help Center: Manage Certificates in the Trusted CA Bundle Using the SAS Deployment Manager could be improved with Greg's approach.

Re: Cretificate Update Test

gwootton — Tue, 10 Dec 2024 21:42:06 GMT

Sounds like Deployment Manager doesn't think your .pem files are in the correct format. If you open those files with a text editor do they follow this format?
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Re: Cretificate Update Test

gwootton — Wed, 11 Dec 2024 20:46:40 GMT

To add certificates to your trusted CA bundle in SAS 9.4 you would use the associated SAS Deployment Manager task.
This is documented here:
https://go.documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/secref/n0n1y5gwevy312n13h5bm4yf6quy.htm

Re: Cretificate Update Test

Acf2 — Mon, 16 Dec 2024 17:54:52 GMT

Good call. The .pem files have additional text from the creation tool:

Bag Attributes
localKeyID: 90 4D C7 DB 9F 31 E5 4D B6 99 2F E3 BA A8 17 3B 44 28 6A 0E
.

-----BEGIN CERTIFICATE-----

Not completely invalid as certutil.exe can read it :

certutil -verify "C:\temp\xxx.pem"

Returns 'CertUtil: -verify command completed successfully.'

Some manual editing is needed and I will ask for a specific format next time.

Re: Cretificate Update Test

SASKiwi — Mon, 16 Dec 2024 19:08:56 GMT

I ran into this exact problem myself. Since I knew I had a valid certificate as it was working in SAS web apps, I just exported the certificate out of the MS Edge browser using the Certificate Viewer and applied it successfully in Deployment Manager. That workaround was provided by Tech Support.

Re: Cretificate Update Test

Acf2 — Wed, 18 Dec 2024 22:35:01 GMT

Another mystery.

Where is SAS Usage Note 57370. 2016. “Downloading, installing, and using the TLS/SSL Diagnostic Tool for SAS® 9.4.” Available at http://support.sas.com/kb/57/370.html ?

It is the last reference from Stuart Rogers' definitive 2016 paper Tips and Techniques for Using Site-Signed HTTPS with SAS® 9.4 : Paper Template

Could it be referencing keytool.exe or openssl.exe?

Re: Cretificate Update Test

gwootton — Thu, 19 Dec 2024 15:07:17 GMT

That SAS Note linked to a custom JAR file that is no longer published, but it was similar to the functionality of keytool.exe in terms of viewing what was in trustedcerts.jks but in a visual interface, and viewing the contents of the Windows certificate store, similar to the certificates snap-in for Microsoft Management Console (certlm/certmgr).

Re: Cretificate Update Test

Acf2 — Thu, 19 Dec 2024 15:32:31 GMT

Thanks Greg. From your description, this approach should give similar details :

"D:\Program Files\SASHome\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin\keytool.exe" -list -v^

-keystore "D:\Program Files\SASHome\SASSecurityCertificateFramework\1.1\cacerts\trustedcerts.jks"^

-storepass xxxx > "D:\sas\Batch\Sysadmin\Security\trustedcerts_jks.lst"

I can see how an app might be useful. There 142 occurences of trustedCertEntry in our listing !

It is tempting to start over and create a new .jks file with just our 2 entries .

Re: Cretificate Update Test

gwootton — Thu, 19 Dec 2024 15:43:58 GMT

By default trustedcerts includes a number of built-in well-known CA certificates, so you'll see many that are not related to your internal certificates.