Unable to load Certificate from Keystore - iPrint Appliance 3.1

  • 7022285
  • 07-Nov-2017
  • 30-Aug-2018

Environment

Micro Focus iPrint Appliance 3.1

Situation

After upgrading from iPrint Appliance 3.0 to 3.1, with 3rd party certificates applied, clicking the "Certificates" link within the iPrint Management Console (https://<ip or dns>:9443/iprintconfig/certificates) results in the following message:
Unable to load Certificate from Keystore

Also, when attempting to update the CSR generated from the Management Console in the Certificate Authority page, an error is returned:
The following error was encountered:
The CSR has an invalid signature.

Resolution

Update the iPrint Appliance server to version 3.1.2 to obtain an updated certman.sh file which has been enhanced with a new target of utils with these two options:
c : generate a private key and CSR using openSSL command and verifies the same
u : update certificate alias name in keystore file to hostname
Then, follow these steps:
  1. Make a backup of the server's /opt/novell/iprintmobile/bin/certman.sh file.
  2. Copy the updated certman.sh file to the server's /opt/novell/iprint/iprintmobile/bin directory.
  3. Copy/paste the following string of commands into a terminal session.
    • chmod +x /opt/novell/iprintmobile/bin/certman.sh
  4. Copy/paste the following command into a terminal session:
    • /usr/bin/keytool -list -keystore /vastorage/conf/certs/keystore -storepass changeit -v | grep "Alias name:"
      • If only one alias name is returned, then execute the following command:
  5. sh /opt/novell/iprintmobile/bin/certman.sh -t utils -u
    • The above command will update the alias name of the certificate file in the keystore as hostname and restart all the required services.
      • Note: There will be disruption of printing services during this activity because some of the print services will be restarted
    • After restart of the services you can view the Certificates page from iPrint Appliance Management Console.  You are done now and no need to follow the next steps.
  6. When you see more alias names listed in the output of the command executed in step 1, first identify the valid certificate. You can view the validity of the certificates by executing the following command:
    • /usr/bin/keytool -list -keystore /vastorage/conf/certs/keystore -storepass changeit -v
  7. Now delete the rest of the certificates from the keystore file using the alias name listed in output of step 1 using the following command:
    • /usr/bin/keytool -delete -keystore /vastorage/conf/certs/keystore -storepass changeit -v -alias <alias_name>
  8. Once you are left with required certificate in keystore, execute the command in step 5 and view the Certificates page from the iPrint Appliance Management Console.
The above steps 5-8 needs to be executed when you see the error "Unable to load Certificate from Keystore" in Certificates page of iPrint appliance Management Console.

When there is an error during uploading the certificate signing request (CSR) generated from Certificates page of iPrint Appliance Management console, following the next steps:
  1. Copy/paste the following command into a terminal session:
    • sh /opt/novell/iprintmobile/bin/certman.sh -t utils -c
      • A private key file along with certificate signing request will be created in /vastorage/conf/certs folder with hostname as filename. For example if hostname of the server is iprint-server1.mf.com, then the files will be created as iprint-server1.mf.com.key and iprint-server1.mf.com.csr.
        • The output of the command will also mentions the same:
          • Generated private key at /vastorage/conf/certs/iprint-server1.mf.com.key
            • The .key file name will be different from what is listed above.  iprint-server1.mf.com is simply an example.
          • Generated CSR at /vastorage/conf/certs/iprint-server1.mf.com.key.csr
            • The .csr file name will be different from what is listed above.  iprint-server1.mf.com.key.csr is simply an example.
      • The above command will also verify the generated CSR and output will be listed on the command console.
        • Copy the output between lines:
          • -----BEGIN CERTIFICATE REQUEST-----
          • MIICbTCCAVUCAQAwKDEmMCQGA1UEAxMdd2dwLWR0MjQwLmxhYnMuYmxyLm5vdmVs
          • ...
          • YwLnFG0nozfIdStriCcZnzqFsb1/jdAT9HgaQizBcpocGfFZirMImn57w21sND6C
          • -----END CERTIFICATE REQUEST-----
  2. Copy/paste the above certificate data, including the header and footer, and submit that to your certificate authority to get the response.
  3. Once you get the files from your certificate authority, upload all certificates along with private key in the MC Certificates page.

Cause

Multiple certificates were uploaded the keystore.

Additional Information

The error "The CSR has an invalid signature" will come for multiple reasons like:
  • Using of RSA-2048 public key with RSA-4096 private key
  • RSA signature length 512 bytes is not accepted on some sites
  • Using of special characters in CN name
  • Junk characters were added while copying the certificate
  • Multiple certificates have been applied to the keystore
This TID addresses the "Multiple certificates have been applied to the keystore" cause.

To verify the validity of a CSR, run this command:
  • Syntax:
    • openssl req -in </path/to/CSRfile> -verify
  • Example:
    • openssl req -in /tmp/MyCSRfile.csr -verify