Team,
After Importing a ssl file for customer, we check the certificates though “SSL Checker”,
If it shows the chain is broken like the below picture, this issue is caused by broken pfx certificate.
You can ask customer to re-share the PFX file. If still the customer is unable to provide the complete file, you can use the below steps to fix this issue.
We have multiple ways to resolve this issue. One of which are down below.
For this we would need to download OpenSSL. You can do this from.
1.Download OpenSSL from the link below.
https://sapphireims.sharepoint.com/:f:/s/ITOM/EoX2lFroiv9Bo3BsmRYT_IwBTtY_EPuPCql_IomwZGRChQ?e=gEHYm6
2.Install the OpenSSL installer by running it as administrator.
3.After Installing Navigate to “C:\Program Files\OpenSSL-Win64\bin”.
Open this file.
Extracting files from the pfx.
Export the key: openssl pkcs12 -in mycert.pfx -out key.txt -nodes -nocerts
Enter the password for the pfx when prompted.
Example:
openssl pkcs12 -in C:\Users\sapphire.vdi\Downloads\GFL_PFX\GFL.pfx -out C:\Users\sapphire.vdi\Downloads\GFL_PFX\key.txt -nodes -nocerts
Key will be generated in the “out” path, we would need it in the final steps.
Now,
Export the certificate: openssl pkcs12 -in mycert.pfx -out cert.cer -nodes -nokeys
Enter password for the pfx when prompted.
Example:
openssl pkcs12 -in C:\Users\sapphire.vdi\Downloads\GFL_PFX\GFL.pfx -out C:\Users\sapphire.vdi\Downloads\GFL_PFX\cert.cer -nodes -nokeys
A cert file will be generated in the “Out” path.
Creating the certificate chain bundle
Double click the certificate to open it in Windows.
Click the Certification Path tab,
-
Root Certificate: The top certificate in the chain, labeled as Sectigo (AAA), is the root certificate. This is the trusted root certificate authority.
-
Intermediate Certificate: The certificate below the root, labeled as USERTrust RSA Certification Authority, is the intermediate certificate. Intermediate certificates bridge the trust between the root certificate and the server certificate.
-
Base (or End-Entity) Certificate: The last certificate in the chain, labeled with your specific domain or service (gfl.co.in in this case), is the end-entity certificate. This is the actual certificate issued for the service or domain you are securing.
The root and intermediate certificates help establish trust for the base certificate.
Alternatively, if you don’t see 3 certificate in your exported file, you can go to this website (click here) and put your webaddress and download the certificate.
Export all the certificates using the below steps.
Double click the intermediate certificate to open it, click the Details tab, then Copy to File.
Click Next, select Base-64 encoded X.509, then Next.
Give it a name like intermediate.cer, click Save, then Next then Finish.
Click OK then OK again to close the certificate.
Double click the Root certificate at the top of the list to open it, then click the Details tab, then Copy to File.
Click Next, select Base-64 encoded X.509 and click Next.
Give it a name like root.cer, click Save, then Next then Finish.
Click OK to close the root certificate, then OK again to close the main certificate.
Now edit both the intermediate and root certificates in a text editor and save the contents into bundles file.
Copy the contents of the root and paste it below the existing text in the intermediate file.
Save the intermediate file and rename this to something like bundle.cer.
Creating the new pfx file
Open SSL Command Promt. Now we can now create a new PFX file with:
openssl pkcs12 -export -out newcert.pfx -inkey key.txt -in cert.cer -certfile bundle.cer
Example: openssl pkcs12 -export -out C:\Users\sapphire.vdi\Downloads\newcert.pfx -inkey C:\Users\sapphire.vdi\Downloads\GFL_PFX\key.txt -in C:\Users\sapphire.vdi\Downloads\GFL_PFX\cert.cer -certfile C:\Users\sapphire.vdi\Downloads\GFL_PFX\Exp\bundle.cer
Enter a new password for the export and confirm this.
A new PFX file is generated in “Out” path, you can use the file and re-import the SSL in SappphireIMS, RPA and Meshcentral. And the issue will be resolved.
