Cannot get Buypass SSL Cert

KO2021 · September 20, 2021, 3:02am

Hi,

I am trying to get a cert for testing. I am able to get certs from all authorities except for Buypass SSL for some reason. Unfortunately, I keep getting:

Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine (or in custom_ca_certs). :non-empty set required
Parameter name: value System.Exception: Failed to build certificate as PFX. Check system date/time is correct and that the issuing CA is a trusted root CA on this machine (or in custom_ca_certs). :non-empty set required
Parameter name: value
   at Certify.Providers.ACME.Certes.CertesACMEProvider.ExportFullCertPFX(String certFriendlyName, String pwd, IKey csrKey, CertificateChain certificateChain, String certId, String primaryDomainPath, Boolean includeCleanup) in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1579
   at Certify.Providers.ACME.Certes.CertesACMEProvider.<CompleteCertificateRequest>d__35.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Providers\ACME\Certes\CertesACMEProvider.cs:line 1260
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certify.Management.CertifyManager.<CompleteCertificateRequestProcessing>d__17.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 953
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certify.Management.CertifyManager.<PerformCertificateRequestProcessing>d__16.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 758
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at Certify.Management.CertifyManager.<PerformCertificateRequest>d__14.MoveNext() in D:\a\certify-service\certify-service\src\certify-build\certify\src\Certify.Core\Management\CertifyManager\CertifyManager.CertificateRequest.cs:line 461

I already confirmed the time, tried downloading and importing all the Buypass Root CA Certs (Buypass Root certificates | Buypass.com) in the local certificate store under Trusted Root CAs. I also tried putting the pem certs in C:\ProgramData\certify\custom_ca_certs\pem and restarting the certify service, server, and trying on a different machine but it still returns the same error.

Please let me know what i am missing.

I am running version 5.5.4.0 on Windows Server 2019 and tried on Windows 10. A use case I am trying to implement for is radius/enterprise wifi but Android tightened down security and the user can no longer skip certificate validation. I tried the other CAs but mobile devices (especially Android) do not trust their root CAs for these certs out of the box. I would like to try Buypass SSL because i saw it listed in Android’s trusted root store and would like to see if it will connect without much user intervention.

Thanks

webprofusion · September 20, 2021, 3:51am

Thanks, yes if you have the root certs this should all be working ok. Let me see if I can re-create the issue on a different machine…

webprofusion · September 20, 2021, 4:56am

Thanks, so the only way I was able to recreate this was by deleting the “Buypass Class 2 Root CA” certificate from Certificates > Local Computer > Trusted Root Certification Authorities > Certificates in certlm.msc.

Note that you need to use certlm.msc (local machine) , not certmgr.msc (current user) certificate manager to import the certificates into Trusted Root Certification Authorities.

You mentioned you tried custom_ca_certs as pem format, where did you get the pem file from? The buypass website uses DER format (as .cer). If you are downloading from http://crt.buypass.no/crt/BPClass2Rot.cer then you need to put it in C:\ProgramData\Certify\custom_ca_certs\der

After any of these changes (importing to the cert store or adding new der or pem files in custom_ca_certs) you need to restart the Certify background service, but it sounds like you were doing that already.

The custom_ca_certs is really for testing purposes and you are better to install the root cert into the machine store.

webprofusion · September 20, 2021, 5:01am

In addition if you are moving to buypass for android compatibility, I’m guessing that your server currently serves the ISRG Root X1 chain instead of the old (more compatible) DST Root CA X3 chain. To resume serving the compatible chain, ensure you have “ISRG Root X1 cross signed by DST Root CA X3” installed under “Intermediate Certification Authorities” (https://letsencrypt.org/certs/isrg-root-x1-cross-signed.der) using certlm.msc