Top Secret

Our Senior management is stipulating that all digital certificates be generated from a central source.  I had generated a certificate chain from CATSS for use with a mainframe application's web browser interface, using the Liberty Server in the CICS region the application runs in.  My certificate chain works fine, including exporting the public key certificate to the user's web browser.  Now, I received a new certificate chain from our CA issuing team (they use Venafi to generate the root CA.), and was able to upload it to CATSS (with private keys), and get the Liberty Server working, but when I exported the public key certificate and had the user install it in his web browser, the web page refused to display, giving an "invalid certificate" error.  The CA issuing team assured me the certificates all had valid signatures.  Does anyone have an application with a web browser interface (via Liberty Server) and a requirement to use a third-party certificate chain, and if so, how did you handle setting up the certificates so that the web browser, Liberty Server, and application all worked together?

Hi George,

Reading your question I believe you are looking for other clients that have an application with a web browser interface (via Liberty Server) and a required to use a third-party certificate chain, and if so, how did they handle setting up the certificates.  In order to get as many responses and not have to mark the question as having been answered I have turned this into a discussion.  I am going to see what I can find about the Liberty Server (It is sounding very familiar) and will let you know.  In the meantime maybe some other clients will respond .

Have a great weekend!!

~Eileen~ 

Eileen;   Thanks for your response.  I still have not been able to resolve the certificate issues, we still cannot get the web browser (IE) to accept the certificates as valid.  I am also working with our Certificate Issuing team, but they have zero mainframe experience.  Any ideas from the community will be welcome!

George McNamee, II

Security Analyst IV

Equifax – Mainframe Security

Office Phone:  (770) 740-7256

E-mail:  George.mcnamee@equifax.com

Fellow Venafi user here.  When you/they did the "download" (Certificate -> Settings -> Download) to get your certificate (after it was signed by the third party), what format was it downloaded it with?  Did it include the root chain?

We've had issues with some customers using DER vs PKCS 7 vs PKCS 8 encodings for different certificates.  We usually use PKCS 8 (Base64) for everything Mainframe, but your web browser might not like that.  Always be sure to open it on your desktop to make sure the certificate is valid.  You can export it to a different encoding there as well.

I usually never download the root chain.  When I do, I open it up in a text file and copy only the PKCS 8 data for each certificate into different files (removing the headers).  The format Venafi provides for the entire chain at once doesn't appear to be readable all together.

Kevin;   First, thanks for responding!  Our Certificate Generating group sent a certificate chain consisting of a root CA, an intermediate CA signed by the root CA, and a user/server certificate signed by the intermediate CA.  The package was sent in PKCS12 format (.pfx) and also in PEM format (text).  The PEM format had three public key certificates followed by a private key segment (bounded by "Begin encrypted private key" and "End encrypted private key"); CA-TOP SECRET was not able to handle the private key segment.  However, when I uploaded the '.pfx' file in BINARY, CATSS was able to successfully load the certificates into the Database and apply the private keys.  I attached the certificates to the appropriate key rings and was able to get the Liberty server to start under the hosting CICS region. (so far, so good!)  Where I ran into an issue was with the public key certificate.  I extracted the public key certificate for the intermediate CA for use in the web browser, but that produced an "invalid signature" message on the logon page in the web browser.  I exported the public key certificate using the default CATSS format (CERTDER, I think?), then imported the resulting PEM file into either the Microsoft Certificate Vault, or the browser's certificate repository.  Note that when I used this same procedure with CATSS-generated certificates, the user was able to log into the CICS application from the web browser with no issues.

So perhaps I am approaching this incorrectly, from what you have mentioned.  I am working under the assumption that the "server" should have the private key certificates, and the "client" the public key certificates, and that is how I set up the third party certificate chain.  If that is not going to work, what would be a better approach?