Visa Developer Community

Helper

Re: Always getting "Expected input credential was not present" error

Hey,

 

Apologies for the late reply. I have created and added the CA (DigiCertGlobalRootCA.cer) and Visa (VDPCA-SBX.pem) certificates to the clientkeystore.jks file but would like to just ask: where do I make use of the private and public keys of my project now? Do I need to import them to the keystore as well?

 

Thanks

Visa Dev Moderator

Re: Always getting "Expected input credential was not present" error

Hi @boav_rum,

 

Please follow the Two-Way SSL guide step-by-step and in its specific order. The guide is here - https://developer.visa.com/pages/working-with-visa-apis/two-way-ssl#

 

From the guide,  I have compiled some information for you to take a look at as it relates to your question.

 

To establish a Two-Way SSL (Mutual Authentication) connection, you must have the following:
* private key
* client certificate
* certificate authority root certificate, and
* certificate authority intermediate certificates (Note: These certificates are optional for the Visa Developer sandbox)

 

You will need to obtain a private key, client certificate, and certificate authority root certificate. You will also learn about how to bundle the certificates into keystores, using Java keytool or OpenSSL.

 

The process of creating the CSR yields the CSR file itself and also a private key (which corresponds to a public key, which is encoded into the CSR file). There are multiple tools that you can use to create a CSR, such as Java keytool or OpenSSL. Both tools are available for free to download from the Internet for all major operating systems.

 

Configuring a Two-Way SSL Keystore Using an Auto-generated CSR

 

Visa Developer creates the CSR file and submits the CSR to itself. The output of this process is the private key and the certificate of the client.

 

Depending on the APIs you select, click on either Submit a Certificate Signing Request or Generate a CSR for Me.


Visa Developer self-submits a certificate request and produces a .pem file with the private key of your certificate in it.

 

Note: Once you complete the project creation process, Visa Developer Platform (VDP) will provide you with the links of the certificates to download. In this case, Visa Developer provides a VDP CSR. Once you obtain the private key and the certificates, you can begin to create the key stores and start testing mutual SSL connectivity.

 

Configuring a Two-Way SSL Keystore Using an Auto-generated CSR

 

The following steps include examples for context.
1.Place your private key file (for example: privateKey.pem) and your certificate file from VDP (for example: cert.pem) in the same directory. Generate a keystore (for example: myProject_keyAndCertBundle.p12) file as shown below.

 

> openssl pkcs12 -export -in cert.pem -inkey "privateKey.pem" -certfile cert.pem -out myProject_keyAndCertBundle.p12


Note: The myProject_keyAndCertBundle.p12 is only a placeholder file name. You may choose to name it anything else.


2.If you need a Java Key Store, run the following Java keytool command to convert your P12 file into a JKS file.

 

> keytool -importkeystore -srckeystore myProject_keyAndCertBundle.p12 -srcstoretype PKCS12 -destkeystore myProject_keyAndCertBundle.jks

 

3.Run the following Java keytool command to validate the contents of your new JKS file.

 

> keytool -list -v -keystore myProject_keyAndCertBundle.jks

 

4.Run the following command to add the root certificate to your JKS file.

 

> keytool -import -alias ejbca -keystore myProject_keyAndCertBundle.jks -file VDPCA-SBX.pem -storepass <password>


To generate a CSR using keytool:

 

1.Generate a keystore file that contains public/private key pair (for example: 'clientkeystore.jks'), as shown below, using RSA, a keysize of 2048, and a password. Keytool manages everything through the Java Key Store (JKS).

 

keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -keystore clientkeystore.jks -storepass <password> -keypass <password> -dname "CN=<common name>, OU=<organizational unit>, O=<organization name>, L=<city/locality name>, ST=<state name>, C=<country name>"


2.Generate the Certificate Signing Request (for example: 'certreq.csr') file from your Java Key Store as shown below. Be sure to copy the User ID and Password because you will need these to invoke APIs with Two-Way SSL.

 

keytool -certreq -alias client -keystore clientkeystore.jks -storepass <password> -keypass <password> -file certreq.csr


You now have the Java Key Store file (which contains your private key) and the CSR file.
Certificate (root CA) and the certificate (client cert) to a local folder. You should see both VDPCA.pem and cert.pem in your local folder.


3.Update Java Key Store with Root Certificate and Client Certificate using Java Keytool.

 

To invoke an API using Two-Way SSL, you must have a client certificate and your root CA in your keystore, since your Java SSL library only accepts one input for all certificates – the keystore. Therefore, you will need to add the certificates downloaded from VDP to the keystore (for example: clientkeystore.jks) that you generated while creating the CSR.

 

To add a project-specific certificate to the keystore:


1.Add the VDP CA Root Public Certificate to the keystore:

keytool -import -alias ejbca -keystore clientkeystore.jks -file VDPCA-Sandbox.pem -storepass <password>

 

Note: Replace the < password > above with the actual password that was used while creating the clientkeystore.jks.


Click yes when prompted to trust the certificate option.


2.Add the project specific certificate to the keystore:


keytool -import -alias client -keystore clientkeystore.jks -file cert.pem -storepass <password>

 

The resulting file, called clientkeystore.jks will contain your private key, your client certificate and your VDP CA root certificate.

 

Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.

Thanks,
Diana

Helper

Re: Always getting "Expected input credential was not present" error

 

Spoiler

Configuring a Two-Way SSL Keystore Using an Auto-generated CSR

 

The following steps include examples for context.
1.Place your private key file (for example: privateKey.pem) and your certificate file from VDP (for example: cert.pem) in the same directory. Generate a keystore (for example: myProject_keyAndCertBundle.p12) file as shown below.

 

> openssl pkcs12 -export -in cert.pem -inkey "privateKey.pem" -certfile cert.pem -out myProject_keyAndCertBundle.p12


Note: The myProject_keyAndCertBundle.p12 is only a placeholder file name. You may choose to name it anything else.


2.If you need a Java Key Store, run the following Java keytool command to convert your P12 file into a JKS file.

 

> keytool -importkeystore -srckeystore myProject_keyAndCertBundle.p12 -srcstoretype PKCS12 -destkeystore myProject_keyAndCertBundle.jks

 

3.Run the following Java keytool command to validate the contents of your new JKS file.

 

> keytool -list -v -keystore myProject_keyAndCertBundle.jks

 

4.Run the following command to add the root certificate to your JKS file.

 

> keytool -import -alias ejbca -keystore myProject_keyAndCertBundle.jks -file VDPCA-SBX.pem -storepass <password>

 Hi,

 

With reference to the above portion in the spoiler tag, I have the project certificate and its private key which has been generated by Visa. And for now, I am only interested in the sandbox. From what I have understood of your previous reply, I have created a jks keystore and added VDPCA-SBX.pem and DigiCertGlobalRootCA.cer to it but without the project certificate and its private key. 

 

However, based off the 2 way SSL page Visa has the first command seems to be just adding the project certificate and its private key to a p12 keystore. As a side note, the "-in" parameter and "-certfile" parameter is the same?

 

 

 

 

openssl pkcs12 -export -in cert.pem -inkey "privateKey.pem" -certfile cert.pem -out myProject_keyAndCertBundle.p12

 

 

 

 

And then add in the Visa cert (VDPCA-SBX.pem)

 

 

 

 keytool -import -alias ejbca -keystore myProject_keyAndCertBundle.jks -file VDPCA-SBX.pem -storepass

 

 

 

But I do not see the CA certificate (DigiCerGlobalCA.cer) being added. Can I confirm that with the resulting jks file (containing privateKey, projectCert, VDPCA-SBX only) I would be able to complete all the necessary client authentication processes when I establish the SSL socket?

 

And to clear up the terminology: 

private key: the file which is only available for download once upon creation of project.

client certificate: the project cert which is available for download beside the username and password portion of the project

certificate authority root certificate: is this DigiCertGlobalRootCA.cer? Or VDPCA-SBX.pem?

 

As always thank you for your prompt replies!

 

Visa Dev Moderator

Re: Always getting "Expected input credential was not present" error

Hi @boav_rum,

 

In this same forum post but previous post thread, I provided steps on Configuring Two-Way SSL Keystore Using Your Own CSR and how To generate a CSR using keytool - Generate a keystore file that contains public/private key pair (for example: 'clientkeystore.jks'), as shown below, using RSA, a keysize of 2048, and a password. Keytool manages everything through the Java Key Store (JKS). Please follow those steps.

 

In this reply forum post, here are the steps on how to Update Java Key Store with Root Certificate and Client Certificate using Java Keytool, Add the VDP CA Root Public Certificate to the keystore, and Add the project specific certificate to the keystore.

 

Please see my Java Keytool commands below. After creating your clientkeystore.jks file and the certreq1.csr file. You will need to add the following certificates to your clientkeystore.jks file.

 

From your project dashboard, download the project certificate with filename cert.pem and place it in the local folder where you have your clientkeystore.jks file and the certreq1.csr file. You should also have downloaded the Visa Development Platform Certificate with filename VDP-SBX.pem and also download the DigiCert Certificate with filename DigiCertGlobalRootCA.cer. Place all the downloaded files into the same local folder that your clientkeystore.jks and certreq1.csr files are in.

 

Before adding your DigiCertGlobalRootCA.cer file to the clientkeystore.jks file, make sure to go through the Windows Certificate Management steps, so that it is Base-64 encoded X.509 (.cer). I've provided the steps to do this below:

 

Windows Certificate Management
1.Double-click on the DigiCertGlobalRootCA.crt file to open it into the certificate display.
2.Select the Details tab, then select the Copy to file button.
3.Click Next on the Certificate Wizard.
4.Select Base-64 encoded X.509 (.CER), then Next.
5.Select Browse (to locate a destination) and type in the filename DigiCertGlobalRootCA.
6.Click Save. You now have the file DigiCertGlobalRootCA.cer

 

Note, I replaced the original downloaded DigiCertGlobalRootCA.cer with the DigiCertGlobalRootCA.cer file that has gone through the Windows Certificate Management steps above.

 

Now please follow the Java Keytool commands below to add these 3 certificates to your clientkeystore.jks file.

 

My example below is for Foreign Exchange Rates API but just follow this process for any API that requires Two-Way (Mutual) SSL authentication.

 

Java Keytool Commands and its Outputs

 

Microsoft Windows [Version 10.0.15063]
(c) 2017 Microsoft Corporation. All rights reserved.

 

C:\Users\dtranyee>cd C:\Users\dtranyee\Documents\A Test Project\20190626 Foreign Exchange Rates test1

 

C:\Users\dtranyee\Documents\A Test Project\20190626 Foreign Exchange Rates test1>keytool -genkeypair -alias client -keyalg RSA -keysize 2048 -keystore clientkeystore.jks -storepass Visa123 -keypass Visa123 -dname "CN=services.visa.com, OU=VDP, O=Visa, L=Foster City, ST=California, C=US"

 

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore clientkeystore.jks -destkeystore clientkeystore.jks -deststoretype pkcs12".

 

C:\Users\dtranyee\Documents\A Test Project\20190626 Foreign Exchange Rates test1>keytool -certreq -alias client -keystore clientkeystore.jks -storepass Visa123 -keypass Visa123 -file certreq1.csr

 

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore clientkeystore.jks -destkeystore clientkeystore.jks -deststoretype pkcs12".

 

C:\Users\dtranyee\Documents\A Test Project\20190626 Foreign Exchange Rates test1>keytool -import -alias DigiCertGlobalCA -keystore clientkeystore.jks -file DigiCertGlobalRootCA.cer


Enter keystore password:
Owner: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Issuer: CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US
Serial number: 83be056904246b1a1756ac95991c74a
Valid from: Thu Nov 09 16:00:00 PST 2006 until: Sun Nov 09 16:00:00 PST 2031
Certificate fingerprints:
MD5: 79:E4:A9:84:0D:7D:3A:96:D7:C0:4F:E2:43:4C:89:2E
SHA1: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36
SHA256: 43:48:A0:E9:44:4C:78:CB:26:5E:05:8D:5E:89:44:B4:D8:4F:96:62:BD:26:DB:25:7F:89:34:A4:43:C7:01:61
Signature algorithm name: SHA1withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

 

Extensions:

 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]

 

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

 

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

 

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: 03 DE 50 35 56 D1 4C BB 66 F0 A3 E2 1B 1B C3 97 ..P5V.L.f.......
0010: B2 3D D1 55 .=.U
]
]

 

Trust this certificate? [no]: yes
Certificate was added to keystore

 

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore clientkeystore.jks -destkeystore clientkeystore.jks -deststoretype pkcs12".

 

C:\Users\dtranyee\Documents\A Test Project\20190626 Foreign Exchange Rates test1>keytool -import -alias ejbca -keystore clientkeystore.jks -file VDPCA-SBX.pem -storepass Visa123
Owner: C=US, O=VDPVISACA, CN=VDPCA
Issuer: C=US, O=VDPVISACA, CN=VDPCA
Serial number: 2d1ed295f96ad97a
Valid from: Thu Jul 23 21:27:37 PDT 2015 until: Sun Jul 20 21:27:37 PDT 2025
Certificate fingerprints:
MD5: 86:73:94:83:49:00:9D:82:CF:A0:BD:FE:F2:E3:95:F3
SHA1: A9:30:33:1C:EC:50:7C:71:60:51:4E:03:FF:9E:C1:CA:E6:FE:EC:C4
SHA256: 8D:65:FA:35:59:FD:C3:43:F0:E6:F0:DF:AB:03:DE:49:F3:76:14:20:22:69:C4:B2:56:1A:AC:24:07:7B:C1:F6
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3

 

Extensions:

 

#1: ObjectId: 2.5.29.35 Criticality=false
AuthorityKeyIdentifier [
KeyIdentifier [
0000: AF DD 6E B6 A0 4B 9C 79 B9 16 08 62 E6 23 31 10 ..n..K.y...b.#1.
0010: A7 82 EB A1 ....
]
]

 

#2: ObjectId: 2.5.29.19 Criticality=true
BasicConstraints:[
CA:true
PathLen:2147483647
]

 

#3: ObjectId: 2.5.29.15 Criticality=true
KeyUsage [
DigitalSignature
Key_CertSign
Crl_Sign
]

 

#4: ObjectId: 2.5.29.14 Criticality=false
SubjectKeyIdentifier [
KeyIdentifier [
0000: AF DD 6E B6 A0 4B 9C 79 B9 16 08 62 E6 23 31 10 ..n..K.y...b.#1.
0010: A7 82 EB A1 ....
]
]

 

Trust this certificate? [no]: yes
Certificate was added to keystore

 

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore clientkeystore.jks -destkeystore clientkeystore.jks -deststoretype pkcs12".

 

C:\Users\dtranyee\Documents\A Test Project\20190626 Foreign Exchange Rates test1>keytool -import -alias client -keystore clientkeystore.jks -file cert.pem -storepass Visa123
Certificate reply was installed in keystore

 

Warning:
The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard format using "keytool -importkeystore -srckeystore clientkeystore.jks -destkeystore clientkeystore.jks -deststoretype pkcs12".

 

C:\Users\dtranyee\Documents\A Test Project\20190626 Foreign Exchange Rates test1>

 

20190626 FX Rates forexrates 200 OK.png

 

20190626 FX Rates forexrates 200 OK Raw.png

 

After you add all these 3 certificates, you can start testing in SoapUI and get successful results. Refer to this link on how to setup SoapUI - https://developer.visa.com/pages/working-with-visa-apis/two-way-ssl#testing_twoway_ssl_connectivity_.... Refer to the screenshot above for the successful request payload and its 200 OK results.

 

@boav_rumafter following all these steps in this forum post, can you please confirm that you are getting successful 200 OK results for an API that uses Two-Way SSL?

 

Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.

Thanks,
Diana

Helper

Re: Always getting "Expected input credential was not present" error

Hey Diana,

 

Thanks for all your help so far. I have managed to get it working, although I am no longer working in Ionic but native Android. The video provided by Visa also helped a lot. 

 

One last question, the exchange rates being provided by the API seems to be different from the one Visa provides? For example, changing from Russian Ruble to USD. The rates quoted by the API seem to be 0.0165 but the one at the site quotes 0.015994? 

 

The site in question: https://usa.visa.com/support/consumer/travel-support/exchange-rate-calculator.html?amount=1&fee=0&ex...

Highlighted
Visa Dev Moderator

Re: Always getting "Expected input credential was not present" error

Hi @boav_rum,                             

 

Foreign Exchange Rates API in Sandbox provides simulated data and not real-time data. Once you move to production you will be able to work with real data. The rate you will get in production will be correct and you can also markup on it before publishing to your customers.

 

Was your question answered? Don't forget to click on "Accept as Solution" to help other devs find the answer to the same question.

Thanks,
Diana