SSL - "Server certificate rejected by ChainVerifier" error

[Rajeev Alagarsamy]

I am getting "Server certificate rejected by ChainVerifier" while accessing a thru SOAP Request reply activity, can any one help me in resolving this issue

[Manoj Chaurasia]

Thanks for the info Akhil.

 

I got a new link from the service provider to download the Root CA , when i clicked the link i got into a page which contained the info like ----- BEGIN CERTIFICATE----- XXXXXXXX ----- END CERTIFICATE ----- . I jus save that content as .cer file and then converted that to PEM file in Certificate >> Details >> Copy file from the cert itself . And then i impoted that file into Designer using Tools > Trusted Certificate option.

 

Also i added the property ' java.property.TIBCO_SECURITY_VENDOR=j2se ' in designer.tra , when i tested the change i got a different issue saying

 

caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: com.tibco.security.AXSecurityException: CA certificate with issuer CN=VeriSign Class 3 International Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa ©10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US and serial number 1AB4 FFA5 0778 762B 17C6 2FCF 1475 16A7 is not a trusted certificate

 

we are not using the serial number said in the exception, can you please help me out to find this

[Manoj Chaurasia]

1. For a chain of certificates, there have to be more than one ---BEGIN CERTIFICATE--- in the same .cer file.

 

2. If it is a different serial number it means it is not the one depoloyed on the server side.

[Manoj Chaurasia]

Hi All!I am a bit confused here. I am also having an SSL connection issue. I am using SoapRequestReply activity to connect to webservice. I have placed the certificate (.cer)which partner provided us in cerificate folder and I am using BW_GLOBAL_TRUSTED_CA_STORE. Why do I have to import the cerificate using Tools=>Trusted Certificates in designer, or is this step must

Getting following error:

An IOException was thrown while trying to execute the Http method

at com.tibco.plugin.share.http.client.JakartaHttpTransportDriver$RequestExecutor.r un(JakartaHttpTransportDriver.java:238)

at com.tibco.pe.util.ThreadPool$ThreadPoolThread.run(ThreadPool.java:99)

caused by: java.io.IOException: Failed to create secure client socket: Server certificate rejected by ChainVerifier

When I used portecle and check for the chains, I am not seeing any chains there, only one page is displayed. Can someone pls tell me what's the issue

 

Thanks,

....AshishPlease refer the attached screenshot: [cert.bmp]

[Manoj Chaurasia]

In this case the certificate is not a single certificate, it is a chain of certificates upto the root certificate.

You need to get that chain of certificates.

One way to do that is to export the certificate using any browser like IE or Firefox. But that sometimes does get the complete chain.

One good way is to use a tool called portecle. Install this tool and run it. Then follow these steps to get the correct certficate with chain.

1. Go to Examine menu, select Exmaine SSL/TLS connection.

2. Enter the server or host name. Press Ok.

3. It will show one page for each certificate in that chian.

4. Click on the PEM encoding, and copy the content in a file.

5. Click on next page to get next certificate in chain, and append the PEM encoding in the same file.

6. After all certificate's PEM encoding are appended, save the file with a .cer or .crt extension.

 

This will gibe you a valid chian of certifcate file.

 

Thanks. Hope this help. The prgram is attached.

[saddam shaikh]

I was also gettingsame error"caused by: java.io.IOException: Failed to create secure client socket: Server certificate rejected by ChainVerifier". In my case ,one of the certificate in certificate chain was expired.After updating certificate issue was resolved.Download updated certificates from browser or ask vendor to provide certificate.