SAP SQL Anywhere

Question

12.0.1.4183

The CreateCert executable outputs malformed X.509 certificates that are unsupported by Java. The program previously output X.509v3 files with proper X.509v3 extensions, but an update has introduced a bug causing the application to output X.509v1 certificates with X.509v3 extensions in violation of the X.509 specification. This causes java’s strict parser to fail when interacting with these certificates with the error text “java.security.cert.CertificateParsingException: no more data allowed for version 1 certificate.” This is true for both Java’s use of the KeyTool, and when interacting with the server over TLS with Java as a client.

Answer 1

Sorry for the delay in responding. This is a bug in createcert that was created with the conversion to openssl (away from Certicom). We are working on a fix.

In the meantime, please use openssl directly to generate certificates:

# generate the private key
$ openssl genrsa -des3 -out server.key 1024

# generate a signing request
$ openssl req -new -key server.key -out server.csr

# generate a certificate and sign it with the previous signing request
$ openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

# inspect the certificate
$ openssl x509 -text -in server.crt 
Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number: 10385265624665396460 (0x901fe00fe84194ec)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=CA, ST=Ontario, L=Waterloo, O=SAP, OU=SAP Canada, CN=sap.com/emailAddress=me@sap.com
        Validity
            Not Before: Mar 24 16:00:31 2015 GMT
            Not After : Mar 23 16:00:31 2016 GMT

If you want to use this in a SQL Anywhere server you have to create an identity file:

# create the identity file
$ cat server.crt server.key >server.pem

Now, if you want to import into a Java keystore:

# convert to PKCS12
$ openssl pkcs12 -export -in server.crt -inkey server.key -name "sap.com" -out server.p12

# import into Java keystore
$ keytool -importkeystore -deststorepass <store_password> -destkeystore server.jks -srckeystore server.p12 -srcstoretype PKCS12

Answer 2

In the meantime you can create self-signed certificates using Java's keytool. For example:

] keytool -genkeypair -keyalg RSA -keysize 2048 -keypass sample -validity 1825 -keystore mystore.jks -storepass STORE_PASSWORD_HERE -v -alias localhost
What is your first and last name?
  [Unknown]:
What is the name of your organizational unit?
  [Unknown]:  SAPCanada
What is the name of your organization?
  [Unknown]:  SAP
What is the name of your City or Locality?
  [Unknown]:  Waterloo
What is the name of your State or Province?
  [Unknown]:  ON
What is the two-letter country code for this unit?
  [Unknown]:  CA
Is CN=Unknown, OU=SAPCanada, O=SAP, L=Waterloo, ST=ON, C=CA correct?
  [no]:  y

Generating 2,048 bit RSA key pair and self-signed certificate (SHA256withRSA) with a validity of 1,825 days
        for: CN=Unknown, OU=SAPCanada, O=SAP, L=Waterloo, ST=ON, C=CA
[Storing mystore.jks]

You can also generate chained certificates.

SAP SQL Anywhere

Is Createcert Broken?

Follow this question

Related questions