CA root install issue on Ubuntu 16.04 LTS Server

Question

I am setting up nginx reverse proxy on Ubuntu 16.04 LTS Server for Web-Server.

There will three different Services running on Ubuntu. Services will communicate each other using API calls. Similarly Clients(Browser/Mobile) will communicate the Services using API calls.

To validate Client SSL requests, I need to install certificates on Server PC. After Authentication only request will get processed or forwarded to process further.

Each Service I have Certificates of following format files. Ser1_cert.crt, Ser1_key-decryp.key, Ser1_keyfile.key, Ser1_exported.pfx

lly Ser2_..., Ser3_... files are available

For CA, I have CA_50EA.crt, CA_50EA.pfx files are available

I don't have clarity on which certificate file format I suppose to use for Certificate installation.

To install certificates on System I followed following steps. 1. I copied .crt extension files (including CA file) into /usr/share/ca-certificates then I run the below command. 2. sudo dpkg-reconfigure ca-certificates

It showed the UI to select certificates, I selected all. At the end it showed the no. of certificates added.

I put the certificate path properly in nginx.conf file. I copied .crt and .key files to /etc/ssl/certs/ and /etc/ssl/private/ respectively.

ssl_certificate "/etc/pki/certs/XServer_certificate.crt"; ssl_certificate_key "/etc/ssl/private/XServer_decryp.key";

Now I tried to login to Server from the Browser client, but the login Certificate validation got failed with the following Server log message.

info: LoginController[0]

Certification Error :unable to get local issuer certificate

To reconfirm again, I copied all the certificate files into /usr/share/ca-certificates directory (total 14 files), then I again executed sudo dpkg-reconfigure ca-certificates. This time also getting same error.

Next time I ran sudo update-ca-certificates --fresh command It showed the no. of certificates installed with a warning for ca.pem file as below.

WARNING: CA_50EA.pem does not contain a certificate or CRL: skipping 152 added, 0 removed; done.

.pem file is created in /etc/ssl/certs folder, but I inputted only .crt file in /usr/share/ca-certificates

I tried to verify using below command, there also I seeing same issue as below.

openssl s_client -connect [server name]:443 -showcerts -CAfile /etc/ssl/certs/ca-certificates.crt
................. ................. Verify return code: 21 (unable to verify the first certificate)

It tells very clear verification failed.

Any step I'm missing, what is the right approach to do this. By seeing error, I thought CA not installed properly.

I read many blogs, most of them explaining same, but it is not working for me.

some time before I worked on CentOS7, there I used following commands to install certificates on the system. update-ca-trust force-enable, update-ca-trust extract In CentOS Clients certificate validation happening fine with the above commands.

Any feedback is appreciated.

Thanks

Answer 1

1st of all thank you all you,

My issue is: The CA Certificate which is installing in CentOS successfully, same Certificate is not installing in Ubuntu 16 Server, giving below warning message. WARNING: CA_50EA.pem does not contain a certificate or CRL: skipping 152 added, 0 removed; done.

Solution: After doing different approaches, unable to identify the exact root cause of this issue. Suddenly strike one idea, this resolved my issue.

Created new root CA from the CA.pfx file using below URL steps and it successfully installed in Ubuntu 16 Server without any warnings and verified my client requests successfully. https://www.itsupportmiami.com/how-to-convert-a-pfx-to-a-seperate-key-crt-file/

Thank you all of you, who watched my query and tried to answer.