Troubleshooting for when an SSL certificate fails to import
24 April 2014 02:11 PM
MarkLogic allows the use of SSL certificates to be used when securing application servers. This article explains some common issues seen when importing certificates, as well as methods to troubleshoot problems.
Importing a certificate into MarkLogic:
The general procedure for creating and importing a certificate into MarkLogic can be found in the docs here: http://docs.marklogic.com/guide/admin/SSL#id_42684
For a certificate to be successfully imported, the public key of the signed certificate must match a public key contained in the Certificate Template. MarkLogic will create a new public/private key par for each Certificate Request that is generated within a Certificate Template.
If you are having an issue where MarkLogic is not accepting the signed certificate you should first verify that your certificate is in PEM format. If this is not the case, you can use openssl to convert your format to PEM. Below are examples of how to convert between various formats using openssl.
Convert a DER file to PEM:
Convert a P7B file to PEM:
Convert a PKCS#12 file to PEM:
If you are still experiencing issues when attempting to import a signed certificate, you should ensure that the public keys for the certificate request and signed certificate match. This public key should also match with the key contained in the certificate template.
Use the following commands to extract the public key from the certificate request and signed certificate.
To obtain the public key from the certificate request, you should use the following xquery script. Note that this script will need to be run against the Security database by a user with admin rights. The output of this command will also display Private key information. If you need to provide the output of this command to support, please remove all data in the <pki:private-key> elements.
The output of this script will contain various <pki:public-key> elements. One of these public keys needs to match with the public key contained in your signed certificate.