Updated PFX applied to iPrint 3.x, but browser still shows expired cert

  • Document ID:7022907
  • Creation Date:01-May-2018
  • Modified Date:01-May-2018
    • Micro Focus Products:
      iPrint

Environment

Micro Focus iPrint Appliance 3.x

Situation

The 3rd party certificate has expired on the iPrint Appliance.  As a result, you uploaded an updated PFX file obtained from your CA (Certificate Authority).  You uploaded the PFX using the Certificate Management tool (https://<address>:9443 -> Manage iPrint Appliance -> Certificates -> Certificate Management).  The Certificate Management tool shows that the certificate won't expire for a long time, yet access to https:// tools shows the certificate is expired. 

Running the following command:
sh certman.sh -t repair -a
reveals that the following certificate files are expired:
/vastorage/conf/certs/vachain.crt
/vastorage/conf/certs/vaserver.crt
/etc/ssl/servercerts/servercert.pem
note: To run the certman command, you must change the certman.sh permissions to have execute permissions.
chmod 775 /opt/novell/iprintmobile/bin/certman.sh
The /var/opt/novell/jetty/logs/jetty.stderrout.out log show the following:
INFO com.novell.admin.iprint.server.web.controllers.LandingPageController - Server certificate days remaining:0
WARN com.novell.admin.iprint.server.web.controllers.LandingPageController - Server certificates will expire in 0 days

Resolution

Manually copy the certificate files to the correct locations
  1. Copy the PFX file to the server's /tmp directory
  2. Paste the following commands into a terminal session while logged in as root:
    • cd /tmp
    • openssl pkcs12 -in <NameOfPFXfile>.pfx -nocerts -out key.crt -nodes
      • The above is the syntax. Replace the <NameOfPPFX> with the actually name of the PFX file.  For example:
        • openssl pkcs12 -in MyPFXfromMyCA.pfx -nocerts -out key.crt -nodes
      • provide the password to the pfx file.
    • openssl pkcs12 -in <NameOfPFXfile>.pfx -nokeys -out cert.crt -nodes
      • The above is the syntax. Replace the <NameOfPPFX> with the actually name of the PFX file.  For example:
        • openssl pkcs12 -in MyPFXfromMyCA.pfx -nokeys -out cert.crt -nodes
      • provide the password to the pfx file, if prompted.
    • cp /tmp/cert.crt /vastorage/conf/certs/vaserver.crt;cp /tmp/key.crt /vastorage/conf/certs/vaserver.key;rcapache2 restart;rcnovell-iprint-mobile restart