KB Article #72439
using self-signed certificates - selfsigned certs - how to use a selfsigned certs with CFT
Problem with a Self-signed certificate:
11/09/12 16:41:47 CFTY02Z >> CTX=200006 Client certificate not found (LOCAL CAID=NULLCERT, CERTID=NULL)
11/09/12 16:41:47 CFTY02Z >> CTX=200006 cftpki() _ PKII PHASE=GETCERT CR=0 REASON=48
11/09/12 16:41:47 CFTY02Z >> CTX=200006 UNKNOWN CA : DN=/C=fr/ST=idf/L=ptx/O=AXWAY/OU=SUP/CN=SUPPORT,/C=fr/ST=idf/O=Axway, ROOTCID=GAQSIG05,R2D2CA, USERCID=GA
11/09/12 16:41:47 CFTY23I CTX=200006 Client certificate ID=NULL ROOTID=NULLCERT
11/09/12 16:41:47 CFTY02Z >> CTX=200006 SSLact() _ state: BUILD
11/09/12 16:41:47 CFTY02Z >> CTX=200006 SSLact() _ SENDING 12 HANDSHAKE DATA
11/09/12 16:41:47 CFTY02Z >> CTX=200006 16030100 070B0000 03000000 >............<
It works in double authentication in a local loop test.
The format of the certifcate used is PKCS12.
Resolution
1) selfsigned certs must be defined in the CFTSSL so the USERCID = ROOTCID
2) load only one time the user certs like the PKICER example bellow
PKIUTIL pkicer
id=' GAQSIG05',
comment= ' GAQSIG05 Self signed certificates',
pkifname = /data/pkcftq05/cft/pki/pkibase, /* the PKI DB */
pkipassw = 'CFT1', /* PKI DB password */
iname = gateway.pfx, /* source file */
iform = 'PKCS12', /* source format */
ikform = DER, /* key format (embedded in the PKCS12 */
ikpassw = '123456', /* Key password */
itype = 'USER', /* cert type */
state = 'ACT', /* status */
check = 'NO', /* do not check for the root cid */
mode = 'CREATE'