Knowledgebase:
Troubleshooting for when an SSL certificate fails to import
29 September 2021 02:36 PM

Summary:

MarkLogic allows the use of SSL certificates in PEM Format when securing application servers. A certificate in PEM format is the Base64-encoding of the DER-encoding of the certificate structure values.

This article explains some common issues seen when importing certificates, as well as methods to troubleshoot problems.

Importing a certificate into MarkLogic:

The general procedure for creating and importing a certificate into MarkLogic can be found in the docs here:  http://docs.marklogic.com/guide/security/SSL#id_42684

For a certificate to be successfully imported, the public key of the signed certificate must match a public key contained in the Certificate Template.  MarkLogic will create a new public/private key par for each Certificate Request that is generated within a Certificate Template.

Troubleshooting:

Verify Certificate in PEM format

If you are having an issue where MarkLogic is not accepting the signed certificate, you should first verify that your certificate is in PEM format.  If this is not the case, you can use openssl to convert your format to PEM.  Below are examples of how to convert between various formats using openssl.

Convert a DER file to PEM: $openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert a P7B file to PEM: $openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert a PKCS#12 file to PEM: $openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

PKI-NOREQ Error

After downloading Certificate request and sending csr file to IT/CA to get signed, Admin could accidentally click on Certificate Request again generating new Certificate request (overwriting previous certificate request file), which will result in certificate import error for the certificate that is matching first/initial certificate request.

If you are still experiencing issues when attempting to import a signed certificate and receive PKI-NOREQ, you should ensure that the public keys for the certificate request and signed certificate match.  This public key should also match with the key contained in the certificate template.

Use the following commands to extract the public key from the certificate request and signed certificate.

Certificate Request: $openssl req -in request.csr -pubkey
Signed Certificate: $openssl x509 -in certificate.crt -pubkey

Alternatively, one can also compare modulus hash (compact string) to confirm if Certificate one is trying to import does match Private key stored Template.

Certificate Request: $openssl req -noout -modulus -in request.csr | openssl md5   
Signed Certificate: $openssl x509 -noout -modulus -in certificate.crt | openssl md5   

Extracting Keys for the Certificate Request

To obtain the public key from the certificate request, you should use the following xquery script.  Note that this script will need to be run against the Security database by a user with admin rights.  The output of this command will also display Private key information.  If you need to provide the output of this command to support, please remove all data in the <pki:private-key> elements.

xquery version "1.0-ml";
import module namespace pki = "http://marklogic.com/xdmp/pki"
at "/MarkLogic/pki.xqy";

let $template-id := pki:template-get-id(pki:get-template-by-name("INSERT-TEMPLATE-NAME"))

return
cts:search(fn:doc(),
cts:element-value-query(xs:QName("pki:template-id"), fn:string($template-id), "exact"))

The output of this script will contain various <pki:public-key> elements.  One of these public keys needs to match with the public key contained in your signed certificate.

Further Reading

(3 vote(s))
Helpful
Not helpful

Comments (0)