Use the following sections to resolve issues created when a full certificate chain is not imported into Access Manager:
The Access Manager Certificate Authority requires that all certificate key pairs in .pfx format contain the complete certificate chain. If a key pair was created with multiple CAs and the exported certificate does not contain the complete certificate chain, the file cannot be imported into Access Manager. When you try to import such a certificate, the following error message is displayed:
“Error importing certificate key pair: Error: Error: -1403
When exporting the certificate key pair, make sure you include all the certificates in the certification path.
To ensure that your certificate contains all the intermediate certificates and contains them in the right order, import the certificate into Internet Explorer or Firefox.
For Internet Explorer 7, click > > > > > .
For Firefox 2, click > > > > > > .
Make sure the browser contains the public key for all the intermediate CAs. Then select the certificate and export the certificate in .pfx format. In Internet Explorer, you must select to include all the certificates in the chain. In Firefox, all the certificates in the chain are automatically included.
If you receive an error when importing the certificate, the error comes from either NICI or PKI. For a description of these error codes, see Novell® Certificate Server™ Error Codes and Novell International Cryptographic Infrastructure
Access Manager allows you to automatically import the trusted root under the following conditions:
When enabling SSL communication between the Access Gateway and the Web server, you can automatically import the root CA from the Web server.
When setting up the user stores for the Identity Server and adding the server replicas, you can automatically import the root CA of the LDAP server.
If there are multiple certificates in the chain, sometimes the server does not send all the certificates in the chain. When this happens, the following message is displayed:
The root CA certificate was not returned by the server. It might be necessary to manually import the root CA certificate and possible intermediate CA certificates in order to complete the chain.
To correct this problem, you need to manually import the missing entries. The easiest method to obtain all the certificates in the chain, including the root CA, is to import the server certificate into Internet Explorer, then export the chain and import it into Access Manager. If Access Manager already has some of the certificates, it skips their import and imports only the missing certificates.
For instructions on this process, see Section B.1.3, Using Internet Explorer to Add a Trusted Root Chain.
The following procedure only works when Internet Explorer contains the trusted root certificate of the issuer of your certificate.
In Internet Explorer, click > > > .
Click and import your server certificate into the tab.
Click , then double-click your certificate.
Click .
If the shows that the certificate is OK, you now have the full certificate chain available for export. Click , then continue with Step 5.
If the is not OK, you cannot use this method. Click , then contact your issuer for the certificate chain.
Select the certificate, then click > .
Select as the format and select to include the certificate chain.
Click , then specify a filename and path for the file.
Click > .
Use this P7B file to import your server certificate into Access Manager.