I'm trying to set up exchange messages with PEPPOL, I got SSL-certificate from them and import it to my as4 connector, but when I send messages from them test server I get error:
[Security verification] A wrong certificate is defined in the settings to verify the signature from peppol_test. The right certificate is not yet in the sign/encryption keystore, please import it.A problem occured during processing of inbound AS4 data (Module Processing, FailedAuthentication: EBMS:0101 [ [The inbound message is signed with the wrong certificate. The system expected the certificate with SHA1 fingerprint C1:CB:C9:1C:97:34:85:6C:86:10:62:CB:51:43:A1:8F:FA:B5:E3:AE but found a signature of a certificate with SHA1 fingerprint 0C:E9:91:D0:CE:61:7B:4F:01:AC:BA:06:AB:1D:CE:90:CF:FD:96:12]])
where:
C1:CB:C9:1C:97:34:85:6C:86:10:62:CB:51:43:A1:8F:FA:B5:E3:AE is certificate that I got from PEPPOL and imported to my AS4 connector
0C:E9:91:D0:CE:61:7B:4F:01:AC:BA:06:AB:1D:CE:90:CF:FD:96:12 I don't known and don't have this certificate((((
When I ask them support about this error, they gave me this answer
In Peppol we use the concept of a PKI (Private Key Infrastructure) to establish common trust in the network. We trust all PEPPOL AP/SMP certificates issued by the defined PKI. This is also how your AS4 software must be configured.
When the TestBed sends to you, two certificates are involved in the process, let’s call them:
Corner2 certificate: The certificate of the sending Access Point (AP), in this case the Testbed.
Corner3 certificate: The certificate of the receiving AP, in this case you.
The TestBed, acting as Corner2 in this scenario (Sending AP). Will use your Corner3-certificate to encrypt the transaction. And will use it’s own Corner2-certificate to sign the transaction.
When you receive the transaction your software must be able to decrypt the transactions (using your own private key of the Corner3-certificate which you have available). And you also need to verify the signature of the sending Corner2-certificate. The Corner2-certificate must be resolved dynamically from the transaction, it is there in the payload, but you need to extract it. Then verify that the signature matches and also verify that the certificate is part of the agreed PKI.
The above concept is a bit different from regular AS4 connections, that historically have in many cases been set up on a point to point basis in a hardcoded fashion. Peppol is a dynamic network, you connect once and you are able to exchange transactions with anyone else on the network.
The most important from this answer is "The Corner2-certificate must be resolved dynamically from the transaction, it is there in the payload, but you need to extract it. Then verify that the signature matches and also verify that the certificate is part of the agreed PKI." But I don't know how I can configure it in Mendelson AS4.
Can help anybody me resolve this problem?
Comments
kovala, This issue is not…
Submitted by service on Wed, 09/14/2022 - 14:04
kovala,
This issue is not AS4 or peppol specific, it's more a question how certificates/keys are used/organized in the mendelson AS4 - it's the same as in mendelson OFTP2 and mendelson AS2 and other products.
There are different certificates for different jobs in the system. The TLS certificates/keys are to establish a secure connection. The signature/encryption keys/certificates are for the encryption/signature processes. If you receive a SSL certificate from your partner and you could not use it to verify a signature please ask your partner for the certificate to verify their signatures.
Regards
Hello Dear service, Yes I…
Submitted by kovala on Tue, 09/20/2022 - 11:51
Hello Dear service,
Yes I know that Mendelson as2/as4 keep ssl-certificates in two different places:
1 - for establish a secure connection - I don't have any problem with it.
2 - for encryption/decryption and sign/check - I don't have any problem with encryption/decryption where I use the certificate and key that I got before from PEPPOL. But I have problem with check a them signature where they use different certificates. These certificates must dynamically resolved during each transations from message payload on my side AS4 (Mendelson AS4). For resolve this problem I need to extract it, then verify that the signature matches and also verify that the certificate is part of the agreed PKI. But I don't know how I can do it???
And another question, is your AS4 connector can do it???