I'm trying to set up a UAG (3.9.1) for my users. In our environment we use smart cards, so I am attempting to configure X.509 and it is failing. If the UAG is configured with Username/Password it works fine.
I have a cert from external CA in "crt" format. Following the UAG Guide and setting up SAML, I am trying to convert the cert to one line PEM format and I dont know if I am doing this correctly.
The doc says:
If your certificate is in PKCS#12 (.p12 or .pfx) format, or after the certificate is converted to PKCS#12 format, use openssl to convert the certificate to .pem files.
For example, if the name of the certificate is mycaservercert.pfx, use the following commands to convert the certificate:
openssl pkcs12 -in mycaservercert.pfx -nokeys -out mycaservercert.pem
openssl pkcs12 -in mycaservercert.pfx -nodes -nocerts -out mycaservercertkey.pem
openssl rsa -in mycaservercertkey.pem -check -out mycaservercertkeyrsa.pem
In my case the cert I received was in "crt" format from the CA, so I converted it to "pfx" format using openssl;
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt
Once the file was converted to pfx, I ran the commands as described above and created the 3 files. Then I converted them to one line PEM format as the doc says to do using the awk command.
However, when I went to configure the SAML settings in the UAG and uploaded the private keyfile I get the following error;
Invalid PEM format. Exception message: -----END RSA PRIVATE KEY not found
I checked the file in Notepad++ and it is clearly there. I even tried removing the trailing "\n" but it made no difference.
I even tried uploading the normal PEM cert files (I read somewhere recently that single single conversion is no longer needed). The UAG accepts them, but authentication still fails when attempting to log in. Checking the authbroker.log file in the UAG, I found this line...
Caused by: java.io.IOException: -----END RSA PRIVATE KEY not found
I'm kinda stumped at this point. Can anyone offer any advice?