Creating A Certificate To Be Used With Firefox or Windows Internet Explorer

Document ID : KB000048188
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

A CA and server certificate were created using CA Top Secret.

The certificates work for establishing an SSL connection with various mainframe SSL connections.

When using Firefox or Windows Internet Explorer browser, the SSL connection to the https server fails, indicating the digital certificate was invalid.

The certificates and keyring were created with the following commands:


TSS GENCERT(CERTAUTH) DIGICERT(CYBAUTH) KEYUSAGE(CERTSIGN)                   
TSS GENCERT(CERTSITE) DIGICERT(CYBSCERT) KEYUSAGE(HANDSHAKE) 
                                         SIGNWITH(CERTAUTH,CYBAUTH)                                                           
TSS ADD(CYBSTDEF) KEYRING(CYBSRING)                                          
TSS ADD(CYBSTDEF) KEYRING(CYBSRING) RINGDATA(CERTAUTH,CYBAUTH) 
                                 USAGE(CERTAUTH)                                                                   
TSS ADD(CYBSTDEF) KEYRING(CYBSRING) DEFAULT RINGDATA(CERTSITE,CYBSCERT) 
                                  USAGE(PERSONAL)     

An attempt to connect to the https server from a Firefox RESTClient add-on resulted in the following error message in TCPIP -


EZD1287I TTLS Error RC:  414 SSL Control Data Read                           
LOCAL: ::FFFF:141.202.85.31..51001                                         
REMOTE: ::FFFF:10.132.11.71..58658                                         
JOBNAME: ESPWAIDW RULE: ESPWSS_DEV_Rule                                    
USERID: CYBSTDEF GRPID: 00000002 ENVID: 00000003 CONNID: 0001E35 

Error code 414 means the digital certificate is invalid.

What is wrong with the certificate?

Internet Explorer displays the certificate attributes as follows -


Version: V3                                                                  
Serial number: 00                                                            
Signature algorithm: sha1RSA                                                 
Signature hash algorithm: sha1                                               
Issuer: CERTAUTH CERTIFICATES                                                
Valid from: Tuesday, March 04, 2014 8:00:00 PM                               
Valid to: Tuesday, December 31, 2019 7:59:59 PM                              
Subject: CERTAUTH CERTIFICATES                                               
Public key: 30 81 89 02 81 81 00 e7 53 d6 bf 98 06 8a 75 fb a7 c9 b1 cb 6a 4a
b8 ce 85 55 4a 87 12 76 9c 36 e9 6d 61 7f ee 65 7e 5b af c2 c8 89 40 84 15 ae
f2 c9 dd ae 66 f3 66 66 47 1c c0 a3 2a 1e a3 ca 2a 08 37 c4 70 75 fb a9 ec 76
c9 08 1f f3 f2 65 c1 d4 04 c9 ca 94 b3 f7 c2 43 db 8c 4d e7 48 3e d7 31 e0 be
ee b3 f7 b4 c2 b1 70 7d 46 3e 42 56 d2 89 cd c4 92 0d 0b e9 c1 c1 c3 51 41 01
64 42 21 cd 7a af af 7b 9d 02 03 01 00 01                                    
Netscape Comment: Generated by CA SAF Certificate Management Facility        
Subject Key Identifier: 3f f4 72 ce 42 a6 ed 49 2a 40 51 e2 40 61 df fa 79 ad
22 25                                                                        
Key Usage: Certificate Signing, Off-line CRL Signing, CRL Signing (06)       
Basic Constraints: Subject Type=CA, Path Length Constraint=None              
Thumbprint algoritm: sha1    

Solution:

'O=CA' in the Subject Distinguished Name is required by the browsers. This requirement is not a CA Top Secret requirement, but a requirement by the applications. CA Top Secret doesn't care what the Subject Distinguished Name contains.

Example:


TSS GENCERT(CERTAUTH) DIGICERT(CYBAUTH) KEYUSAGE(CERTSIGN) -                
   SUBJECTN('CN="ESPWSS" O=CA OU="CA WA" C=US ST=NY') -
   ALTNAME('IP=141.202.85.31')                                             
TSS GENCERT(CYBSTDEF) DIGICERT(CYBSCERT) KEYUSAGE(HANDSHAKE) -              
   SIGNWITH(CERTAUTH,CYBAUTH) -                                            
   SUBJECTN('CN="ESPWSS" O=CA OU="CA WA" C=US ST=NY') -
   ALTNAME('IP=141.202.85.31')              

Please refer to the CA Top Secret Command Functions Guide or the CA Top Secret Cookbook for more details about the TSS GENCERT command.