cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Error Creating New Key Store in API Management for 2 Way SSL

GreggHinkle
Participant

on ‎02-21-2022 9:07 PM

0 Kudos

Hi,

I am trying to create a new new Key Store in API Management to be used for 2 way SSL. My security partner created a certificate and private key which we will use with a API Provider. Our provider required us to create our public certificate with the following criteria:

  • Certificate should be in .cer or .crt format, which must be a X509 cert.

Our security partner created a certificate in *.crt format and the private key in .key format. From investigating these files, they appear to be in PEM format since the certificate starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE----- and the private key starts with -----BEGIN PRIVATE KEY----- and ends with -----END PRIVATE KEY-----.

I read the following blog https://blogs.sap.com/2018/01/19/sap-cloud-platform-api-management-client-certificate-authentication... and looked at OSS note 2796067 and it appears that SAP API Management requires the certificate and key in .pem format. From what I read, I should be able to rename the public certificate and private key to .pem since .pem, .crt, and .key are all PEM format.

I renamed the certficate to .pem and the private key to be .pem and created the .jar file as the blog stated. When I try to create a new key store in SAP API Management and upload the .jar file to it, I get the following error:

Does anyone have an idea why I keep getting this error?


Show replies
Show replies
Answer

Accepted Solutions (0)

Answers (2)

Answers (2)

vinayak_adkoli
Advisor
Advisor
‎02-23-2022 6:38 PM
0 Kudos

Hi Gregg,

I don't see any errors in the steps that you've described. Where I believe the problem lies is in the format of the private key.

What has worked for me is getting the private key in PKCS#8 format that starts with either -----BEGIN ENCRYPTED PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY----- format.

You may be using PKCS#5 format. Just a guess, pls see if this helps.

Also, you may use this command to generate a p12 certificate from the X.509 certificate and the key you already have :

openssl pkcs12 -export -out keyStore.p12 -inkey myKey.pem -in certs.pem

Show replies
Show replies
vinayak_adkoli
Advisor
Advisor
‎02-22-2022 6:50 PM
0 Kudos

Hi Gregg,

It's hard to guess what could have gone wrong with the information that you've provided.

Letting you know that it is also possible now to upload a pfx / p12 file that has both the certificate and key part in one file and you could upload such a file directly instead of creating a jar. you can try this approach once.

A tip : You may want to put unique names everytime you want to create the keystore as there are situations where even if the keystore creation failed, the name entry retains in the DB and there is a duplicate error at times.

Regards, Vinayak

Show replies
Show replies
GreggHinkle
Participant
‎02-22-2022 7:46 PM
0 Kudos

Hi Vinayak,

Thanks for your reply. Let me give a little more information. I am trying to create a new Key Store. No other Key Store has been created in API Management. Both the certificate and private key are in PEM format, suffixed with .pem. I validated that the key and the certificate are valid by executing the following openssl commands and verifying the they both returned the same value.

openssl x509 -noout -modulus -in xxxxxxxxx.pem | openssl md5
openssl rsa -noout -modulus -in xxxxxxxxx.privatekey.pem | openssl md5

I created the JAR file by first creating an empty directory, and placed both the certificate and the private key in the directory. I created a subdirectory in this directory named META-INF. In this new subdirectory, I created a text file named descriptor.properties. In this text file I entered the 2 lines (where:xxxxxxxxx was the name of the certificate & key)

certFile=xxxxxxxxx.pem
keyFile=xxxxxxxxx.privatekey.pem
Then from the directory where the certificate and private key are located, I executed the following commands to create the JAR file
jar -cf xxxxxxxx.jar xxxxxxxxx.pem xxxxxxxxx.privatekey.pem
jar -uf xxxxxxxx.jar META-INF/descriptor.properties
I then tried to create a new key store in the Configure tab of API Management in the Certificates screen. I clicked on the Create button, selected the certificate type of Key Store and the radio button of New Store. I then entered a unique store name, name, and uploaded the JAR file from PC using the browse button. After I navigate to my file and select it, it copies the name of the JAR file to the Upload field. I then press the Create button. This is where the error that is shown on the screen shot appears. While I could try the once certificate approach that you mentioned, the certificate and key that has been given to me to use are in this format. I would need to through the process of re-certifying everything again with our 3rd party vendor and they required the certificate to be in X509 .crt format. Let me know if you have any ideas.Thanks,Gregg
Ask a Question