Facing issues while connectiong with SSL Certificate

[FWDQK]

Hi Team,

I am getting below error while connecting AS400 Server with SSL certificate.
I used -clientcert argument and pass Name of certificate from Personal Certificare Store.
Could you please help me to solve the error.

[pmattes]

This is the error message given when the Windows SChannel code cannot find the certificate. What name did you use with '-clientcert'? wc3270 is looking for the Friendly Name of the cert, which I just verified still works properly.

[FWDQK]

Hi @pmattes please refer below steps I have tried.

[pmattes]

My best guess is that Windows is able to find your certificate, but is not happy with it. The expiration date 543 years in the future looks a little fishy -- is this an actual certificate issued by the administrators of the host you are trying to connect to, or something you created yourself?

I know that TLS-related options can be fiendishly tricky to get right. Unfortunately this is an intrinsic property of the TLS protocol itself.

Could you explain a bit more about what it is you are trying to do with TLS?

[robinmatz]

@FWDQK

I think you might have imported the certificate into the wrong certificate store. Your certificate is in Certificates - Local Computer. However, it should be in Certificates - Current User. I just verified that I got the above error message when the certificate was in the store for the local computer, but not when it was in the store for the current user.

[FWDQK]

Hi I added certificate in Current User and now I got below error, Is this is the problem with TLS certificate.

[pmattes]

@robinmatz, I missed this -- excellent catch! I have updated the Wiki to make this explicit.

@FWDQK, yes, it appears that Windows has found your certificate now, but does not like its contents.

[robinmatz]

@FWDQK
I was able to reproduce the error message you are getting. This happened when I imported the certificate as .pem (or .crt, or .cer) with content as plain text into the store. In this case, when importing, the certificate store did not ask me for the certificate's passphrase. I suppose this is what is happening in your case.

To verify, could you please post a screenshot for every step you take when importing the certificate into your personal store?

[FWDQK]

@robinmatz I followed below steps to import the certificate.

[robinmatz]

@FWDQK
Just as I thought.

For clarification:
What does the content of your certificate file look like.

Does it start with
----- BEGIN CERTIFICATE -------

or

----- BEGIN RSA PRIVATE KEY ------

or does it contain multiple such sections?

[FWDQK]

@robinmatz I have .cer file which looks like this.

[robinmatz]

@FWDQK
What strikes me about the content is that the valid from date is also more than 500 years in the future.

Could you ask your server admin to issue a new certificate with valid starting date (and also a more reasonable ending date)?

[FWDQK]

@robinmatz the validity is not actually 500 years in the future, it is an 2023 by gregorian calendar and 2566 by Thai Calendar.