0

I am attempting to authenticate to the Intuit API Explorer to become better acquainted with the Customer Data (AggCat) API.

I enter the Consumer Key/Secret, SAML id, user ID, and the original .crt certificate that I uploaded. I get the error:

The given certificate file is not supported. Please provide valid PEM certificate file.

I don't understand this error, because the .crt file is PEM-encoded, as far as I can tell.

Nevertheless, I went to the 'Create X.509 keys' page:

http://docs.developer.intuit.com/0020_Aggregation_Categorization_Apps/009_Using_AggCat/0010_GettingStarted/0015_Create_an_AggCat_integration/0010_Creating_X.509_Public_Certificates

and followed the instructions at the bottom 'Generating a PEM file'. I am able to get past step 1. (convert jks store to p12 format), but I get the following error when attempting to run step2:

$ openssl pkcs12 -in keystore.p12 -nocerts -out cert.pem

MAC verified OK
Error outputting keys and certificates
139679448614560:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:539:
139679448614560:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:p12_decr.c:104:
139679448614560:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:p12_decr.c:130:

I am using jdk-1.7.0_17 and openssl-1.0.1 on ubuntu-12.04 LTS.

Thanks for any help.

Manas Mukherjee
  • 5,270
  • 3
  • 18
  • 30
pparavicini
  • 1
  • 3

1 Answers1

0

Found it, stop looking!

The problem arises from the fact that the PKCS12 format does not support separate passwords for the storage file and any keys inside it. Both the storage file and the key inside it have to be encrypted with the same password.

So the easiest was to go through the process again, and in the step of generating the initial private key and keystore with keytool:

keytool -genkey -alias myapp -validity 1095 -keyalg RSA -keystore keystore.jks

make sure to use the same password for both the keystore (storepass) and the private key (keypass).

As an alternative, if you really must/want to use separate passwords for the keystore and key in that step, in the initial step for creating the PEM:

keytool -importkeystore -srckeystore [MY_KEYSTORE.jks] 
  -destkeystore [MY_FILE.p12]
  -deststoretype PKCS12 
  -deststorepass [PASSWORD_PKCS12] change this to [KEYPASS]
  -srcstorepass [PASSWORD_JKS]

set the -srcstorepass to the password of the keystore (storepass), but set the -deststorepass of the PKCS12 file to the password of the private key (keypass) used when creating the key/keystore via the keytool -genkey command further above.

I have not tested this alternative, but it should work as well, since both the PCKS12 store and the key would end up using the same password.

pparavicini
  • 1
  • 3