6 Replies Latest reply on Apr 22, 2010 7:15 AM by jeffruskatQ1

    passphrases not working from McAfee Foundstone Certificate Management Tool?

      Are there many users of the McAfee Foundstone Certificate Management Tool for Foundstone v6.8?  We've had experiences with two v6.8 where we are getting errors consistent with incorrect passphrases.  Even when we attempt to verify these certificates even with openssl, we are getting errors consistent with incorrect passphrase, as below:

       

      openssl s_client -connect 172.16.70.50:3800 -CAfile FoundstoneCAPublicCertificate.pem -cert FoundstoneClientCertificate.pem -pass pass:uycLgp8zAMOFm5nGN0M58w==
      unable to load client certificate private key file
      32597:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:461:
      32597:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:

      The passphrase looks weird with the padded = at the end (uycLgp8zAMOFm5nGN0M58w==) look different than passphrases from v6.5 device we have but removing them does not result in successful connection and the passphrase is exactly as created by the application.  The other v6.8 device is having the same issues.

       

      Have any other users experienced this or are others have no problems using certificates created with the McAfee Foundstone Certificate Management Tool?

       

      Any advice is appreciated.

       

       

      Message was edited by: jeffruskatQ1 on 4/12/10 12:52:59 PM CDT
        • 1. Re: passphrases not working from McAfee Foundstone Certificate Management Tool?

          I know the certificate manager does work.  You should use exactly the same characters as what is printed in the window for the passphrase.  What is the scenario for your utilization.  Where are you having the problem, what are you trying to do?

          • 2. Re: passphrases not working from McAfee Foundstone Certificate Management Tool?

            Thanks for your response Dave.

             

            We are attempting to integrate with our v6.8 device through the API but first are attempting to get a certificate from it to create a keystore and truststore.  We have taken the passphrase exactly as showing in the window uycLgp8zAMOFm5nGN0M58w== but to no avail.

             

            So, in the short-term we simply attempted to verify the .pem files generated by the Certificate Management tool externally through openssl and the errors which were returned were consistent with what we've seen in other instances to be incorrect passphrases.  Shown below:

             

            $ openssl s_client -connect 172.16.70.50:3800 -CAfile FoundstoneCAPublicCertificate.pem -cert FoundstoneClientCertificate.pem -pass pass:uycLgp8zAMOFm5nGN0M58w==

             

            unable to load client certificate private key file
            2644:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:evp_enc.c:468:
            2644:error:0906A065:PEM routines:PEM_do_header:bad decrypt:pem_lib.c:425:

             

            I'm not sure what else relevant I can add without past this basic step above.

             

            When we connect successfully to our v6.5 device, here are the results received as expected (if I add an incorrect passphrase, I get the exact error as above):

             

            $  openssl s_client -connect 172.16.107.168:3800 -CAfile FoundstoneCAPublicCertificate.pem -cert FoundstoneClientCertificate.pem -pass pass:C9ECE1E1A0424AFEA3DDE8BFC4922F3
            CONNECTED(00000003)
            depth=1 /CN=Foundstone Configuration Manager CA/L={06118130-EA17-4D78-8535-04250F4916BC}/OU=Custom Certificate Generator/O=Foundstone - a Division of McAfee Inc.(formerly Foundstone Inc.)
            verify return:1
            depth=0 /L={8EDACCCA-06CF-448C-AB53-6572A34D2677}/O=Foundstone - a Division of McAfee Inc.(formerly Foundstone Inc.)/OU=Custom Certificate Generator/CN=qaw2k3s.q1labs.lab
            verify return:1
            ---
            Certificate chain
            0 s:/L={8EDACCCA-06CF-448C-AB53-6572A34D2677}/O=Foundstone - a Division of McAfee Inc.(formerly Foundstone Inc.)/OU=Custom Certificate Generator/CN=qaw2k3s.q1labs.lab
               i:/CN=Foundstone Configuration Manager CA/L={06118130-EA17-4D78-8535-04250F4916BC}/OU=Custom Certificate Generator/O=Foundstone - a Division of McAfee Inc.(formerly Foundstone Inc.)
            1 s:/CN=Foundstone Configuration Manager CA/L={06118130-EA17-4D78-8535-04250F4916BC}/OU=Custom Certificate Generator/O=Foundstone - a Division of McAfee Inc.(formerly Foundstone Inc.)
               i:/CN=Foundstone Configuration Manager CA/L={06118130-EA17-4D78-8535-04250F4916BC}/OU=Custom Certificate Generator/O=Foundstone - a Division of McAfee Inc.(formerly Foundstone Inc.)
            ---
            Server certificate
            -----BEGIN CERTIFICATE-----
            MIIEazCCA9SgAwIBAgIBBjANBgkqhkiG9w0BAQQFADCB0TEsMCoGA1UEAxMjRm91
            bmRzdG9uZSBDb25maWd1cmF0aW9uIE1hbmFnZXIgQ0ExLzAtBgNVBAcUJnswNjEx
            ODEzMC1FQTE3LTRENzgtODUzNS0wNDI1MEY0OTE2QkN9MSUwIwYDVQQLExxDdXN0
            b20gQ2VydGlmaWNhdGUgR2VuZXJhdG9yMUkwRwYDVQQKE0BGb3VuZHN0b25lIC0g
            YSBEaXZpc2lvbiBvZiBNY0FmZWUgSW5jLihmb3JtZXJseSBGb3VuZHN0b25lIElu
            Yy4pMB4XDTA5MDUyMDEyMTY0N1oXDTEzMDUxOTEyMTY0N1owgcAxLzAtBgNVBAcU
            Jns4RURBQ0NDQS0wNkNGLTQ0OEMtQUI1My02NTcyQTM0RDI2Nzd9MUkwRwYDVQQK
            E0BGb3VuZHN0b25lIC0gYSBEaXZpc2lvbiBvZiBNY0FmZWUgSW5jLihmb3JtZXJs
            eSBGb3VuZHN0b25lIEluYy4pMSUwIwYDVQQLExxDdXN0b20gQ2VydGlmaWNhdGUg
            R2VuZXJhdG9yMRswGQYDVQQDExJxYXcyazNzLnExbGFicy5sYWIwgZ8wDQYJKoZI
            hvcNAQEBBQADgY0AMIGJAoGBAM6Nbr30hqWgD1F/lFkVHRlEvQLoIkQf4XWAjFBw
            nvOcmwIbs/KZDPXZfXUFfryLhDcOReXbYbfoVbWn1bnPktsKMyjVPHi5fkcV0fQB
            TBbygPuv050MUDtX/90W4Nc+J6fcF90MEiVzchq4BJtRPqUTmjl5jruKwQnyNt07
            fNzJAgMBAAGjggFgMIIBXDAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu
            U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUTjL7w9QAFCszmU9g
            c6LuIKWDgw0wggEABgNVHSMEgfgwgfWAFOCDwErWzTNNiGX2qSMzFdu/cVDfoYHX
            pIHUMIHRMSwwKgYDVQQDEyNGb3VuZHN0b25lIENvbmZpZ3VyYXRpb24gTWFuYWdl
            ciBDQTEvMC0GA1UEBxQmezA2MTE4MTMwLUVBMTctNEQ3OC04NTM1LTA0MjUwRjQ5
            MTZCQ30xJTAjBgNVBAsTHEN1c3RvbSBDZXJ0aWZpY2F0ZSBHZW5lcmF0b3IxSTBH
            BgNVBAoTQEZvdW5kc3RvbmUgLSBhIERpdmlzaW9uIG9mIE1jQWZlZSBJbmMuKGZv
            cm1lcmx5IEZvdW5kc3RvbmUgSW5jLimCAwUAADANBgkqhkiG9w0BAQQFAAOBgQA5
            feAQv6jYVTFHic0xfeKXsFw+D/WMrq6qp1vlNHcgAAhJZ51t0LO+nh/gHvqewPUX
            qobvLya3IuYNN0Ke2QMGaxFi+JSgyz1flm7fYrn20RfQLByVAX0z35JPr+LMdYZT
            wMzy8GXGtOku8W7KzR8G0/GsldN83CBBQ7GuNNt7PA==
            -----END CERTIFICATE-----
            subject=/L={8EDACCCA-06CF-448C-AB53-6572A34D2677}/O=Foundstone - a Division of McAfee Inc.(formerly Foundstone Inc.)/OU=Custom Certificate Generator/CN=qaw2k3s.q1labs.lab
            issuer=/CN=Foundstone Configuration Manager CA/L={06118130-EA17-4D78-8535-04250F4916BC}/OU=Custom Certificate Generator/O=Foundstone - a Division of McAfee Inc.(formerly Foundstone Inc.)
            ---
            No client certificate CA names sent
            ---
            SSL handshake has read 2825 bytes and written 2666 bytes
            ---
            New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
            Server public key is 1024 bit
            Compression: NONE
            Expansion: NONE
            SSL-Session:
                Protocol  : TLSv1
                Cipher    : DHE-RSA-AES256-SHA
                Session-ID: 46E897752FB16028AC9ADAA579F591B14DDB984FB741999793B78CABB032493A
                Session-ID-ctx:
                Master-Key: 86D81EC717144BFA29B0CB356F7B780ED91619FE4FA7D251F64A37AFF6D9799BC2C8DA5DC7F8187 3997C4F66BFE8FBCB
                Key-Arg   : None
                Start Time: 1271096631
                Timeout   : 300 (sec)
                Verify return code: 0 (ok)
            ---

            • 3. Re: passphrases not working from McAfee Foundstone Certificate Management Tool?

              I should note that the Certificate Management Tool is putting trailing = signs on the passphrase which doesn't seem right.

               

              Here are our two:

              C8yHeWV23MpuqWLWtBK8Bg==

              uycLgp8zAMOFm5nGN0M58w==

               

              And here's one from one of our partners:

              m5IWYoZ45E+VsolsDCovCg===

              • 4. Re: passphrases not working from McAfee Foundstone Certificate Management Tool?

                Hi Jeff,

                 

                Please open a Service Request with McAfee support to be sure you have the latest Certificate Tools for MVM 6.8.

                 

                If the problem persists after you've confirmed the above, we can pursue.

                 

                For contact details:

                -  Go to: http://www.mcafee.com/us/about/contact/index.html
                -  Non-US customers - select your country from the list of Worldwide Offices.


                Alternatively:
                Log in to the ServicePortal at: https://mysupport.mcafee.com:

                -  If you are a registered user, type your User Id and Password and click OK.
                -  If you are not a registered user, click New User and complete the required fields. Your password and login instructions will be emailed to you.

                 

                Thanks,

                Cathy

                1 of 1 people found this helpful
                • 5. Re: passphrases not working from McAfee Foundstone Certificate Management Tool?

                  Thanks Cathy.  I will do that.

                   

                  By the way, we currently have Foundstone Certificate Manager Version 6.8.0.7905.

                  • 6. Re: passphrases not working from McAfee Foundstone Certificate Management Tool?

                    After a very helpful remote session with Dave at McAfee/Foundstone we've gotten to the source of the problem.  So, to follow up for the benefit of others on the community ...

                     

                    The problem lies with the versions of openssl used.  We use openssl as part of a process that generates keystore and truststore files to access the Foundstone through the Open API.

                     

                    The Foundstone v6.8 uses the following version of openssl (openssl version at command line):

                     

                    OpenSSL FIPS Object Module v1.2

                     

                    which is not at all compatible with the versions of openssl on our client machines:

                     

                    OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008

                    (also tried with OpenSSL 0.9.8g 19 Oct 2007)

                     

                    Attempts to build from source (available at openssl.org) newer FIPS-capable openssl versions have not given us an openssl that works either.  In any case, owners of client machines are not agreeable to updating their openssl version due to other dependencies and unknown impacts.  Therefore we are left with processing the .pem files + passphrases into valid truststore/keystore files right on the Foundstone v6.8 box instead of client machines.  Not ideal but seems to be a functional workaround.

                     

                    If anyone has crossed this bridge in another manner, please post.

                     

                     

                    Message was edited by: jeffruskatQ1 on 4/22/10 7:15:13 AM CDT