eHealth Exchange Certificate Chain Overview
Version History
Version# | Date | Modified By | Description of Modification |
---|---|---|---|
1.0 | 03/06/2014 | Christopher May | Initial version |
Table of Contents
Introduction
Motivation & Scope
Members of the eHealth Exchange secure their communications using x.509 certificates whose chain of trust begins with the same Root Certificate Authority (CA), thus facilitating trust between organizations without the need to exchange certificates. For this reason, an organization must be able to import certificates forming a chain of trust when joining the community as well as when a new Root CA is introduced to the Exchange. This document covers the procedures and common troubleshooting steps to streamline that process.
Document Audience
This document is intended for technical users who are familiar with basic public-key infrastrucure (PKI) and x.509 concepts.
Prerequisites
The following tools are used throughout this document:
- Portecle, or another keystore / certificate manipulation tool (e.g., Keystore Explorer).
- openssl - on Linux, this can be installed via the distro's package manager; on Windows, the openssl package can be added to Cygwin or installed as a standalone binary.
- keytool - part of the Java Development Kit (JDK).
Portecle
Portecle is a free GUI application for managing keystores and x.509 certificates. This section is a short primer on the subset of Portecle's functionality necessary to import the chain of trust certificates, omitting steps that can be performed using only keytool or openssl.
Start Portecle
java -jar portecle.jar
Examine Stand-Alone Certificates
Select Examine --> Examine Certificate (keyboard shortcut: Ctrl+E).
Locate and select the relevant certificate file (select Files of Type "All Files" if the certificate's file extension is being filtered by default, e.g., .p7c and .der).
Click Examine (keyboard shortcut: Enter).
To view x.509 extensions, click Extensions (keyboard shortcut: Alt+E). The following extensions will be referenced in this document:
- Subject Key Identifier (SKI) - provides a means of uniquely identifying that the current certificate contains a particular public key.
- Authority Key Identifier (AKI) - provides a means of uniquely identifying the public certificate whose corresponding private key was used to sign the current certificate.
- Authority Information Access (AIA) - indicates how to access CA information and services for the issuer of the current certificate.
Note: When viewing an extension, the value will be listed under "Extension Value" at the bottom half of the window.
Note: If the loaded file contains multiple certificates, navigate between them using the left and right arrows along the top (keyboard shortcuts: Alt+← / Alt+→).
Note: Although keytool and openssl can also be used to examine certificates, this step was included because Portecle is the only tool of the three that can export a PEM-encoded certificate based on the information examined from a PKCS#7 file containing multiple certificates. For reference, below is a non-exhaustive list of commands to examine certificates:
keytool -printcert -v -file <certfile.p7c>
(PKCS#7): openssl pkcs7 -inform DER -text -print_certs -in <certfile.p7c>
(PEM-encoded) openssl x509 -text -print_certs -in <certfile.pem>
Export the PEM-encoded Certificate
While examining a certificate:
- Click PEM Encoding (keyboard shortcut: Alt+P).
- Click Save (keyboard shortcut: Alt+S).
- Enter the file name, INCLUDING the .pem extension (this must be added manually, despite the Files of Type default of "PEM Files (*.pem)".
- Click Save (keyboard shortcut: Enter).
- Click OK (keyboard shortcut: Enter) to resume examining the certificate.
Note: A good rule of thumb for naming certificate files is to use information from the Subject's OU (e.g., if the Subject is "OU=Entrust NFI Test Shared Service Provider, OU=Certification Authorities, O=Entrust, C=US", a good file name might be "NFI-Test.pem").
Locate CA Certificate via AIA
While examining a certificate:
- Click Extensions (keyboard shortcut: Alt+E).
- Select "Authority information access."
- In the Extension Value, click the "CA Issuers" link whose URI starts with http. If this throws an error, see 112951383.
- When finished, click OK to resume examining the current certificate.
Retrieving and Converting Certificates
These instructions cover retrieving PKCS#7 certs and converting them to PEM-encoding.
Starting with the leaf certificate:
- Examine the current certificate using Portecle and take note of the AKI.
- Locate the parent cert via AIA.
- Examine the parent cert and verify that its SKI matches the AKI from the first step (if there are multiple certificates, check them all until a match is found).
- Export the PEM-encoded certificate.
- Repeat steps 1-4, unless the current cert is the Root CA (if this is the case, the AIA extension will be missing, and the cert's SKI and AKI will be identical).
Importing the Certificates
These instructions cover importing the chain of trust, beginning with the root and ending with the Certificate Signing Request (CSR) reply.
Starting with the Root CA:
- keytool -importcert -trustcacerts -file <certfile.pem> -alias <alias> -keystore <keystore.jks> [-storepass <password>]
- Enter the keystore password when prompted (default: changeit), or specify the password in advance by appending the following flag to the keytool command: -storepass <password>
- When importing a Root CA, type yes at the "Trust this certificate? [no]" prompt; for all other cases, this prompt indicates that the certificate being imported is not next in the chain of trust. See 112951383 to determine whether the certificate is farther down the chain or it belongs to a different chain.
- Repeat steps 1-3, unless the current cert is the leaf CSR reply (if this is the case, the success message will be "Certificate reply was installed in keystore" instead of "Certificate was added to keystore").
Note: When importing a CSR reply, the alias must match that of the certificate the CSR was originally generated from. For all other certificates, alias should indicate useful information about the Subject (see: 112951383).
Note: A reference truststore containing both the new and old eHealth Exchange chains of trust is available for download.
Troubleshooting
Invalid .p7c File
The AIA for the eHealth Exchange Intermediate CA (http://dcomweb1.managed.entrust.com/AIA/CertsIssuedToDComRootCA.p7c) is base64 encoded on a single line instead of the expected PKCS#7 file. To allow Portecle, keytool, and openssl to examine these certificates:
- Download the PKCS#7 file:
- At the "No certificates found" prompt, click OK (keyboard shortcut: Enter).
- At the "Do you wish to try opening the URL in a web browser?" prompt, click Yes (keyboard shortcut: Alt+Y) and download the file.
- Convert the encoded file by issuing the following openssl command:
- openssl base64 -d -A -in <name_of_encoded_file.p7c> -out <new_file.p7c>
Untrusted Import
If the "Trust this certificate? [no]" prompt appears on a non-Root CA import, compare that certificate's AKI to the SKI of every other certificate in the chain; the matching certificate must be imported before the current one. If no match is found, follow the steps for 112951383. If the Root CA found using that procedure matches the one that has already been imported, work backwards to import the correct chain. If they do not match, either the leaf certificate was signed by the wrong CA, or the imported Root CA is not the correct one. Contact the signer of the leaf certificate to see which Root CA to use.
SSL Handshake Errors
If there is an SSL handshake failure (or other trust error) during communication, verify that each endpoints' leaf certificates share the same CA. If not, contact the signer of both leaf certificates to determine which certificate is signed by the correct CA; otherwise, double-check that the chain of trust has been imported into both the keystore and the truststore. In the event that both endpoints do not intend to share the same chain of trust, they must import each others' public leaf certificates into their truststore.
Future Document Enhancements
Better way of denoting <variables> and [<optional variables>].
Generating a CSR.
- There are other ways the .p7c can be invalid; make this generic and provide other solutions.
Script / command-line method to take a single pkcs7 file with multiple certs, and turn it into multiple files with one cert each.
- Screenshots for Portecle functionality.
Move Portecle tutorial to its own page, include in links.
OpenSSL and keytool tutorials, including what commands can and cannot be emulated using Portecle.
Glossary (CSR, PKI, etc.).
- Testing the chain (and when to use 112951383).