Auth certificate import failed

[diver90]

Hello,

I installed Security Server, successfully import test signing certificate from SK ID Solutions (SK). However, I could not use the signed certificates that were sent from the Security Server to SK ID Solutions (SK) for signing, for import to SS. When I try to import certificate, I get an error

2020-01-14T14: 54: 42 + 03: 00 s2e24db13 INFO [X-Road Proxy User Interface] 2020-01-14 14: 54: 42 + 0300 - {"event": "Error importing certificate from file", "user": "ss", "reason": "Certificate is not valid", "data": {"certFileName": "cert.crt", "certHash": "7D: A2: 78: 4E: F9: 5B: BA : 3B: 3C: 86: F8: B4: A1: A3: 50: A1: 09: 10: D0: B1 "," certHashAlgorithm ":" SHA-1 "," keyUsage ":" AUTHENTICATION "}}

SK support confirmed that the certificate is valid.
In what situations can this error occur?

[diver90]

Here is the log of signer.log:

2020-01-15 17:48:43,849 ERROR [Signer-akka.actor.default-dispatcher-1272283] e.r.x.s.p.h.ImportCertRequestHandler - Failed to import certificate
ee.ria.xroad.common.CodedException: CannotCreateCertPath.InternalError: Certificate is not issued by approved certification service provider.

And there some errors from proxy.log:

2020-01-16 10:34:31,095 [qtp1011920203-545] INFO ee.ria.xroad.common.util.AdminPort - Admin request: /timestampstatus
2020-01-16 10:34:31,095 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - /timestampstatus
2020-01-16 10:34:31,105 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server status for url http://tsa-demo.ria.ee/
2020-01-16 10:34:31,151 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server con sun.net.www.protocol.http.HttpURLConnection:http://tsa-demo.ria.ee/
2020-01-16 10:34:31,188 [qtp1011920203-545] WARN ee.ria.xroad.proxy.ProxyMain - Timestamp check received HTTP error: 400 - Bad Request. Might still be ok
2020-01-16 10:34:31,188 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server status for url http://demo.sk.ee/tsa/
2020-01-16 10:34:31,231 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server con sun.net.www.protocol.http.HttpURLConnection:http://demo.sk.ee/tsa/
2020-01-16 10:34:31,237 [qtp1011920203-545] WARN ee.ria.xroad.proxy.ProxyMain - Timestamp check received HTTP error: 400 - Bad Request. Might still be ok
2020-01-16 10:34:31,237 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server status for url http://demo.sk.ee/tsa/
2020-01-16 10:34:31,242 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - Checking timestamp server con sun.net.www.protocol.http.HttpURLConnection:http://demo.sk.ee/tsa/
2020-01-16 10:34:31,438 [qtp1011920203-545] WARN ee.ria.xroad.proxy.ProxyMain - Timestamp check received HTTP error: 400 - Bad Request. Might still be ok
2020-01-16 10:34:31,438 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - result {http://tsa-demo.ria.ee/=DiagnosticsStatus(returnCode=0, prevUpdate=10:34:31.188, nextUpdate=null, description=http://tsa-demo.ria.ee/), http://demo.sk.ee/tsa/=DiagnosticsStatus(returnCode=0, prevUpdate=10:34:31.438, nextUpdate=null, description=http://demo.sk.ee/tsa/)}
2020-01-16 10:34:31,439 [qtp1011920203-545] INFO ee.ria.xroad.proxy.ProxyMain - statusFromLogManager {}

I am running Security Server version 6.16.0-0.20171128173309git05cf71f

[petkivim]

Hi @diver90,

Based on the error message (Certificate is not issued by approved certification service provider.) the certificate is signed using a CA certificate that has not been defined trusted in the X-tee test environment. When you requested the certificate from SK, did you specify that the certificate is for the X-tee test environment? Issuing the certificate using SK's production CA would explain the problem and the error message.

The INFO and WARN entries in the proxy.log are related to the diagnostics view. They can be ignored.

You're running a very old version of the Security Server that does not receive updates anymore. Officially supported versions are 6.22, 6.21 and 6.20. You should upgrade your Security Server to a newer version.

Best regards,
Petteri

[diver90]

Hi @petkivim,

Maybe you can help me in this situation?
I will tell you from the very beginning.
I received a server from a past programmer, in this state:

• server installed
• configured ee-dev instance
• generated auth and sign CSR for ria.ee
• successful imported ee-dev sign cert from ria.ee (for X-tee dev)
• failed import auth cert from ria.ee, because someone deleted auth key
• generated auth and sign CSR for SK
  And now we are trying to import SK test certificates. Am I right that we need to install another server (an ee-test instance) for these certificates?

[diver90]

Here is CA certificates from server.

[petkivim]

Hi @diver90,

Thank you for the background information. The Security Server can be registered in one X-Road instance and the instance cannot be changed afterwards. As your Security Server has been originally registered to ee-dev instance, you must use CAs approved in that instance. In practice, you must apply certificates to ee-dev instance from RIA. The easiest way forward with ee-dev instance is to create a new auth key and apply a new auth cert from RIA.

In case you want to join ee-test instance, you need to install a new Security Server, create new sign and auth keys, and apply certificates for them from SK. This means that you cannot use the SK certificates that you already have, because they were issued to the private keys of the first Security Server. The Security Server does not provide a feature that enables exporting/importing private keys from one Security Server to another.

I'd recommend you to contact RIA's help desk (help@ria.ee) for more detailed information on X-tee related questions.

Best regards,
Petteri

[diver90]

Hi @petkivim

Thank you very much for helping me understand this situation!

Best regards,
Mykhailo