BookmarkSubscribeRSS Feed
☑ This topic is solved. Need further help from the community? Please sign in and ask a new question.
Mushy
Quartz | Level 8

Hello,

 

I have recieved three certificates root, intermediate and the server certificate to apply in the Linux server.

How do i verify the validity/correctness of the existing certificate, before applying new certificates?

 

Thanks,

Mushy

1 ACCEPTED SOLUTION

Accepted Solutions
gwootton
SAS Super FREQ
You can use openssl commands to check a certificate against a key and against a certificate authority.

For example:

#Check if key matches certificate, these modulus would match.
openssl rsa -noout -modulus -in server.key
openssl x509 -noout -modulus -in server.crt

# Check if a certificate is valid for a given CA/Intermediate.
openssl verify -CAfile root.crt -untrusted intermediate.crt server.crt
--
Greg Wootton | Principal Systems Technical Support Engineer

View solution in original post

12 REPLIES 12
gwootton
SAS Super FREQ
You can use openssl commands to check a certificate against a key and against a certificate authority.

For example:

#Check if key matches certificate, these modulus would match.
openssl rsa -noout -modulus -in server.key
openssl x509 -noout -modulus -in server.crt

# Check if a certificate is valid for a given CA/Intermediate.
openssl verify -CAfile root.crt -untrusted intermediate.crt server.crt
--
Greg Wootton | Principal Systems Technical Support Engineer
Mushy
Quartz | Level 8

@gwootton  Thanks for the guidance!

Rahulmahajan129
Calcite | Level 5

@gwootton , could you please help with steps how we can apply this certificates ?

gwootton
SAS Super FREQ
To add certificates to your trusted CA bundle in SAS 9.4 you would use the associated SAS Deployment Manager task.
This is documented here:
https://go.documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/secref/n0n1y5gwevy312n13h5bm4yf6quy.htm
--
Greg Wootton | Principal Systems Technical Support Engineer
Acf2
Obsidian | Level 7

Similar issue. Do we know what mechanism SAS Deployment Manager uses to validate .pem files ? We have added a new root certificate but the intermediate chain.pem and .pem files are being rejected as not Base-64.

 

No validation details are being written to %SASHOME%\InstallMisc\InstallLogs\certframe_wx6_certadd_2024-12-09-13.45.29.log

Both certutil.exe -verify and openssl.exe rsa -modulus are accepting the format but not sasdm.exe. Waiting to hear from SAS TS.
I think the documentation at SAS Help Center: Manage Certificates in the Trusted CA Bundle Using the SAS Deployment Manager could be improved with Greg's approach. 

 

gwootton
SAS Super FREQ
Sounds like Deployment Manager doesn't think your .pem files are in the correct format. If you open those files with a text editor do they follow this format?
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
--
Greg Wootton | Principal Systems Technical Support Engineer
Acf2
Obsidian | Level 7

Good call. The .pem files have additional text from the creation tool: 

 

Bag Attributes
localKeyID: 90 4D C7 DB 9F 31 E5 4D B6 99 2F E3 BA A8 17 3B 44 28 6A 0E
.

.

.

-----BEGIN CERTIFICATE-----

 

Not completely invalid as certutil.exe can read it :

certutil -verify "C:\temp\xxx.pem"

 

Returns 'CertUtil: -verify command completed successfully.'

 

Some manual editing is needed and I will ask for a specific format next time.

SASKiwi
PROC Star

I ran into this exact problem myself. Since I knew I had a valid certificate as it was working in SAS web apps, I just exported the certificate out of the MS Edge browser using the Certificate Viewer and applied it successfully in Deployment Manager. That workaround was provided by Tech Support.

Acf2
Obsidian | Level 7

Another mystery.

 

Where is  SAS Usage Note 57370. 2016. “Downloading, installing, and using the TLS/SSL Diagnostic Tool for SAS® 9.4.” Available at http://support.sas.com/kb/57/370.html ?

It is the last reference from Stuart Rogers' definitive 2016 paper Tips and Techniques for Using Site-Signed HTTPS with SAS® 9.4  : Paper Template

 

Could it be referencing keytool.exe or openssl.exe?

gwootton
SAS Super FREQ
That SAS Note linked to a custom JAR file that is no longer published, but it was similar to the functionality of keytool.exe in terms of viewing what was in trustedcerts.jks but in a visual interface, and viewing the contents of the Windows certificate store, similar to the certificates snap-in for Microsoft Management Console (certlm/certmgr).
--
Greg Wootton | Principal Systems Technical Support Engineer
Acf2
Obsidian | Level 7

Thanks Greg. From your description, this approach should give similar details :

 

"D:\Program Files\SASHome\SASPrivateJavaRuntimeEnvironment\9.4\jre\bin\keytool.exe" -list -v^
 -keystore "D:\Program Files\SASHome\SASSecurityCertificateFramework\1.1\cacerts\trustedcerts.jks"^
 -storepass xxxx > "D:\sas\Batch\Sysadmin\Security\trustedcerts_jks.lst"
 
I can see how an app might be useful. There 142 occurences of trustedCertEntry in our listing !
 
It is tempting to start over and create a new .jks file with just our 2 entries . 
gwootton
SAS Super FREQ
By default trustedcerts includes a number of built-in well-known CA certificates, so you'll see many that are not related to your internal certificates.
--
Greg Wootton | Principal Systems Technical Support Engineer

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

SAS technical trainer Erin Winters shows you how to explore assets, create new data discovery agents, schedule data discovery agents, and much more.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 12 replies
  • 1121 views
  • 1 like
  • 5 in conversation