Just some additional details. I got two certs from my IT guys (root.cer and local.cer). When I tried applying root.cer(It was in pem format), I get an error

BUILD FAILED
: Failed generate trustedcerts.jks: null

I also changed the root.cer to root.pem extension and still received the same error. 

Sorry, I failed to mention that I am trying to configure SAS mid tier on RHEL 7 environment. 

What method are you using to import your CA certs into the Trusted CA Bundle, and what commands are you using (if any)? Have you seen Manage Certificates in the Trusted CA Bundle Using the SAS Deployment Manager in the Encryption in SAS® 9.4 documentation?

When SAS or third party software makes a TLS connection to a SAS server it needs to verify the certificate chain. If the server cert is signed by an intermediate CA and that intermediate CA's cert is signed by a root CA then the root CA and the intermediate CA certificates need to be found as trusted certs by the client. For SAS clients the Trusted CA Bundle is used. If you have site signed certs then you add your site CA certificate (and any site intermediate CA if used). If you have commercial CA signed certificates (e.g. DigiCert etc) where the commercial root CA cert is already present in the Trusted CA Bundle then you may only need to install any intermediate CA certificate (all the commercial CA certs I have used have had an intermediate CA).

I sometimes forget whether I have added CA certificates to the Trusted CA Bundle and so wrote down some notes on what I do to check in this blog post: Did I add that CA Certificate to the SAS Trusted CA Bundle? 

I forgot to add that the openssl x509 command is very useful in reviewing/checking the PEM files before you add them to the SAS Trusted CA Bundle. Check out the Examples section of the OpenSSL x509 man page for some examples command lines.

BTW sometimes PEM files come with a text version embedded in them to make it easier for humans to read. I have found that some tools (can't remember if the SAS Deployment Manager is one of them) don't like this and so if I have problems I'll remove the additional text so that the PEM files only contain the  -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- block(s).

I just checked my notes and saw I had written:

# Use SAS Deployment Manager to import our CA certificates into the trusted CA bundle.
# Can only add one cert at a time.
# Need to remove text descriptors from the .crt files before using SAS Deployment Manager (otherwise it complains about non-PEM encoding)

... this doesn't sound like the error you have having but I would look inside the PEM files to check they only have a -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- block and no text form of the certificate before/after the block.

Hello @PaulHomes

Thank you for all the details. Yes I was using SDM to import the certificates and we also verified the certs using the below command

 openssl verify -CAfile ./ca-chain.pem sastest.cer
sastest.cer: OK

I checked the file and it just has "BEGIN CERTIFICATE....END CERTIFICATE and no other text.  But it just keeps throwing that error. I have raised this with SAS support now. 

Hello @RupaJ,

the Build failed for trustcerts.jks tells me there might be a problem with the trustedcerts.jks file itself. Could you check the user that is trying to update the certificate (should be the sasinst user) and the permissions on the file itself?

I can also imagine a corruption in this file (I have seen it several other times, from people trying to import the certificates with keytool commands, not SAS Deployment Manager) and in this case, only a restore from a previous version might help. My advise: very careful with that.

PS. for other people coming to this thread, please see a guide on Paul's comments and this link https://communities.sas.com/t5/Administration-and-Deployment/HTTPS-ERROR/td-p/340502

Hello @JuanS_OCS

Thanks for the response. I am not able to locate the trustcerts.jks file on the server I am installing. I don't see this file even on my production server where SAS 9.4 M3 is up and running. 

I am using sasinstaller user to launch the SDM. 

"trustedcerts.jks"

If everything else fails, and while you wait for the response by SAS Technical Support, you can always try and use this Java-based tool: http://support.sas.com/kb/57/370.html

Very recommended 🙂 My life saver for SSL certificates in SAS.

Ahh, thanks! So I tried the tool and checked the "trustedcerts.jks" keystore and I got "connection successful".  So looks like the keystore is working. Not sure why I am getting the error while importing them. 

You can import the certs with this tool too.

I would contact SAS Technical Support, there might be a hotfix available for that problem.

Have you had a look at the SAS Deployment Manager log files to see if there are any additional error messages or clues? I just checked /home/sas/.SASAppData/SASDeploymentWizard/*.log and can see when I added my site CA certificates. Perhaps your log files have some helpful error messages?

Hello @PaulHomes,

Thanks! So I reached out to SAS support and they are suspecting an issue with trustedcerts.pem file. We launched the SDM with -loglevel 2 option and gathered more logs (including the SDM logs which I wasn't aware until then). I shall post the solution once it's resolved.