Could not found *.p12 files

[bcanozgur]

Hi, In docker-compose file there is tls_trust_store.p12 and tls_key_store.p12 certificate files as TLSKEYSTORE and TLSTRUSTSTORE. I did not found how to find or generate these files on documentation. How to get these files?

• Source File: /dgca-verifier-service/docker-compose.yml
• Line(s): 32, 35
• Question: How to get these files?

Thanks.

[daniel-eder]

@slaurenz @SchulzeStTSI do you have some input on this?

[joerg-oppermann-tsi]

@slaurenz, please document.

[f11h]

Hi @bcanozgur ,

the tls_trust_store contains the public key (certificate) of the DGC Gateway. You will get a .pem from DIGIT. This .pem needs to be converted in to pkcs12 format:

openssl pkcs12 -export -in pub_tls.pem -name trust -out tls_trust_store.p12

the tls_key_store contains your KeyPair to access the gateway. This needs to be generated by yourself and then whitelisted by operations team (see onboarding manual). To use it in the verifier service this needs to be converted as well:

openssl pkcs12 -export -in tls.pem -inkey tls_private.pem -name 1 -out tls_key_store.p12

For information on how to generate certificates for DGC Gateway please have a look in the documentation of the Gateway: https://github.com/eu-digital-green-certificates/dgc-gateway

[sadiqur-rahman-titra]

Hi,

We could not find the pem files that you provided as an example in the documentation of the Gateway. Are these pem files presented in the Gateway document? If so which ones are the tls pem files?

Thanks in advance.

[slaurenz]

Hi @sadiqur-rahman-titra,

there are no .pem available in the git repositories. If you want to use the Gateway of the acceptance environment you will need to generate your keys and get them whitelisted by the operators, as described in the onboarding document of the gateway. https://github.com/eu-digital-green-certificates/dgc-participating-countries/blob/main/gateway/OnboardingChecklist.md

If you want to run your own gateway for development, you also need to generate the keys, but you can whitelist them by yourself, as described in the Start Local section of the gateway description: https://github.com/eu-digital-green-certificates/dgc-gateway

[sadiqur-rahman-titra]

Hi @slaurenz, thank you for your response. Special thanks for updating the docs. I was able to get all the nodes running except for dgca-verifier-service. I must appreciate the docs, they are quite straightforward. But the last bit was a little confusing. Let me explain step by step what I have done, so that you may point out the mistake I have done. (Disclaimer: I'm no OpenSSL expert, might have made a mistake there)

First I got the gateway up and running. During this process, I created all the private keys and certificates as the document suggests . After this step, I verified the gateway using postman (/trustList returned all 3 certificates)

To run dgca-verifier-service, I would need 3 files trust_anchor, trust_store, and key_store. In my case, the trust_anchor is ta.jks. key_store would be the outcome of the command openssl pkcs12 -export -in cert_auth.pem -inkey key_auth.pem -name 1 -out tls_key_store.p12 (I'm using the exact same files described in this step. trust_store would be the outcome of openssl pkcs12 -export -in cert_auth.pem -name trust -out tls_trust_store.p12 -nokeys. Note that in the document -nokeys is not mentioned, but without this flag, it throws an error.

Also notice that, in dgca-verifier-service/docker-compose.yml, DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_ALIAS is mentioned as ta while dgcg_trust_anchor was used as an alias, I replaced that as well. context.json file was also modified to match my local url and public key (here public key is obtained from the route [GET] /cert/publicKey of dgc-issuance-service).

Finally I run mvn clean install && docker-compose up --build, where everything went fine except it failed to download certificates from the gateway Download of TrustListItems failed. DGCG responded with status code: 401.

Just to try out, I also generated tls_trust_store.p12 and tls_key_store.p12 from key_ta.pem and cert_ta.pem, that didn't work either.

Any idea how to overcome this problem? Thank you

[f11h]

Do you have any logs from DGCG? It should tell us why the client certificate is not accepted.

[p3j4m]

I am facing some kind of problems. Does someone know what does status code -1 mean?

Upload TrustStore contains 0 trusted certificates.
Fetching TrustList from DGCG
Download of TrustListItems failed. DGCG responded with status code: -1
DSC TrustStore contains 0 trusted certificates.
Certificates download finished

And is DGC_GATEWAY_CONNECTOR_ENDPOINT address https://test-dgcg-ws.tech.ec.europa.eu in test?

[f11h]

-1 means the connector does not even got a response from DGCG. It means you have an error in initializing the connection. Maybe you are using a proxy or something like that?

[LonieN]

Hi @slaurenz, thank you for your response. Special thanks for updating the docs. I was able to get all the nodes running except for dgca-verifier-service. I must appreciate the docs, they are quite straightforward. But the last bit was a little confusing. Let me explain step by step what I have done, so that you may point out the mistake I have done. (Disclaimer: I'm no OpenSSL expert, might have made a mistake there)

First I got the gateway up and running. During this process, I created all the private keys and certificates as the document suggests . After this step, I verified the gateway using postman (/trustList returned all 3 certificates)

To run dgca-verifier-service, I would need 3 files trust_anchor, trust_store, and key_store. In my case, the trust_anchor is ta.jks. key_store would be the outcome of the command openssl pkcs12 -export -in cert_auth.pem -inkey key_auth.pem -name 1 -out tls_key_store.p12 (I'm using the exact same files described in this step. trust_store would be the outcome of openssl pkcs12 -export -in cert_auth.pem -name trust -out tls_trust_store.p12 -nokeys. Note that in the document -nokeys is not mentioned, but without this flag, it throws an error.

Also notice that, in dgca-verifier-service/docker-compose.yml, DGC_GATEWAY_CONNECTOR_TRUSTANCHOR_ALIAS is mentioned as ta while dgcg_trust_anchor was used as an alias, I replaced that as well. context.json file was also modified to match my local url and public key (here public key is obtained from the route [GET] /cert/publicKey of dgc-issuance-service).

Finally I run mvn clean install && docker-compose up --build, where everything went fine except it failed to download certificates from the gateway Download of TrustListItems failed. DGCG responded with status code: 401.

Just to try out, I also generated tls_trust_store.p12 and tls_key_store.p12 from key_ta.pem and cert_ta.pem, that didn't work either.

Any idea how to overcome this problem? Thank you

Hi sadiqur-rahman-titra,

Have you installed [dgca-verifier-service] successful? I have a issue like this and don't know how to solve. Can you help me? You can see my issue at: https://github.com/eu-digital-green-certificates/dgca-verifier-service/issues/63

Thanks.

[LonieN]

-1 means the connector does not even got a response from DGCG. It means you have an error in initializing the connection. Maybe you are using a proxy or something like that?

Hi P34m,

Have you installed [dgca-verifier-service] successful? I have a issue like this and don't know how to solve. Can you help me? You can see my issue at: #63

Thanks.

I am facing some kind of problems. Does someone know what does status code -1 mean?

Upload TrustStore contains 0 trusted certificates.
Fetching TrustList from DGCG
Download of TrustListItems failed. DGCG responded with status code: -1
DSC TrustStore contains 0 trusted certificates.
Certificates download finished

And is DGC_GATEWAY_CONNECTOR_ENDPOINT address https://test-dgcg-ws.tech.ec.europa.eu in test?

Hi P34m,

Have you installed [dgca-verifier-service] successful? I have a issue like this and don't know how to solve. Can you help me? You can see my issue at: #63

Thanks.

[kerstin-oppermann-tsi]

Think we can close this issue for now.