Problem with the Certificate Export

Document ID : KB000050541
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

The following commands have been executed:

TSS GENCERT(PROD) DIGICERT(DC01) SUBJECTN('CN="DC01-AN2010" - 
C="FR" ST="PARIS" L="PARIS" O="PARIS" OU="RBIS"') - 
KEYSIZE(2048)

TSS GENREQ(PROD) DIGICERT(DC01) - DCDSN(HQL.TSSADMIN.DC01) LABLCERT('DC01')

Then the dataset 'HQL.TSSADMIN.CDC01' have been sent to a superior trusted authority, to sign it. After signing, the certificate have been added into TSS as it follows:

TSS REM(PROD) DIGICERT(DC01)

TSS ADD(PROD) DIGICERT(DC01) - DCDSN(HQL.TSSADMIN.DC01) TRUST TSS ADD(PROD) KEYRING(KRPROD01) RINGDATA(PROD,DC01) - USAGE(PERSONAL) TRUST DEFAULT

After executing the above TSS commands above, the application was no longer working. The following error message was received:

Funtion <gsk_secure_socket_init> : Error GSK 428 (Key entry does not contain a private key).

Solution:

By doing the following the following, the private key will be lost:

TSS GENCERT(PROD) DIGICERT(DC01) SUBJECTN('CN="DC01-AN2010" - 
C="FR" ST="PARIS" L="PARIS" O="MY PARIS" OU="RBIS"') - 
KEYSIZE(2048)

TSS GENREQ(PROD) DIGICERT(DC01) - DCDSN(HQL.TSSADMIN.DC01) LABLCERT('DC01') TSS REM(PROD) DIGICERT(DC01)

TSS ADD(PROD) DIGICERT(DC01) - DCDSN(HQL.TSSADMIN.DC01) TRUST TSS ADD(PROD) KEYRING(KRPROD01) RINGDATA(PROD,DC01) - USAGE(PERSONAL) TRUST DEFAULT

When you do the TSS GENREQ to get the certificate signed, the private key is not exported as part of the PKCS10 package build and put into the dataset.

It is not a bug. It is suppose to be this way. The private key remains on the security file.

The private key gets reconnected to the certificate when they add it back to the security file, after its been signed.

Because deleting DC01 with the following command:

TSS REM(PROD) DIGICERT(DC01)

Before re-adding the signed certificate back, is losing the private key. It cannot be re-covered. You have to generate a new certificate.

You have to add the newly signed certificate under a different DIGICERT name because CA Top Secret will not allow you to add a certificate back using the same DIGICERT name. The commands need to be adjusted to something like the following example:

  1. TSS GENCERT(PROD) DIGICERT(TEMPCERT) SUBJECTN('CN="DC01-AN2010" -
    C="FR" ST="PARIS" L="PARIS" O="MY PARIS" OU="RBIS"') -
    KEYSIZE(2048)

  2. TSS GENREQ(PROD) DIGICERT(TEMPCERT) -
    DCDSN(HQL.TSSADMIN.DC01) LABLCERT('TEMPCERT')

  3. TSS ADD(PROD) DIGICERT(DC01) -
    DCDSN(HQL.TSSADMIN.DC01) TRUST

  4. TSS REM(PROD) DIGICERT(TEMPCERT) <- now that the certificate has been re-added and the private key reconnected, the temporary certificate can be deleted. Not required, but optional.

If you need the private key exported, you should use one of the PKCS12xxx formats. Example:

TSS EXPORT(CERTAUTH) DIGICERT(GROUP) DCDSN(HQL.TSSADMIN.DC01.PKCS12DER) - 
FORMAT(PKCS12DER)

Otherwise, the private key WILL NOT get exported. Password should be specify using PKCSPASS() option on EXPORT command.

Generally, you don't want to export Certificate Authorities with their private key if you are the owner of the certificates, because they can use your certificate authority to sign other certificates. But if they need to export the private key, they can.