Use the following sections to resolve issues created when a full certificate chain is not imported into Access Manager:
The Access Manager Certificate Authority requires that all certificate key pairs in .pfx format contain the complete certificate chain. If a key pair was created with multiple CAs and the exported certificate does not contain the complete certificate chain, the file cannot be imported into Access Manager. When you try to import such a certificate, the following error message is displayed:
“Error importing certificate key pair: Error: Error: -1403
When exporting the certificate key pair, make sure you include all the certificates in the certification path.
To ensure that your certificate contains all the intermediate certificates and contains them in the right order, import the certificate into Internet Explorer or Firefox.
For Internet Explorer, click
> > > > > .For Firefox, click
> > > > > > .Make sure the browser contains the public key for all the intermediate CAs. Then select the certificate and export the certificate in .pfx format. In Internet Explorer, you must select to include all the certificates in the chain. In Firefox, all the certificates in the chain are automatically included.
If you receive an error when importing the certificate, the error comes from either NICI or PKI. For a description of these error codes, see Novell Certificate Server Error Codes and Novell International Cryptographic Infrastructure.
When you create a certificate signing request, send it to a third-party issuer to be signed, and receive the server certificate from the third-party issuer, you sometimes receive a -1226 error when you try to import the signed certificate. You receive this error when the issuer does not sent back the trusted roots required to validate the issuer of the server certificate.
Use one of the following options to resolve this issue:
If the issuer included the trusted root and any intermediate certificates in a separate file or files, specify these files during the import by clicking the + character that allows you to add a trusted root or an intermediate certificate.
If the issuer did not send you any additional files, you can go to the issuer’s Web site, download them, then specify these files during the import by clicking the + character that allows you to add a trusted root or an intermediate certificate.
You can try importing the certificate into Internet Explorer, which has the trusted roots from all major CAs, then export the certificate with the required chain of trusted roots. See Section 7.1.4, Using Internet Explorer to Add a Trusted Root Chain.
Access Manager allows you to automatically import the trusted root under the following conditions:
When enabling SSL communication between the Access Gateway and the Web server, you can automatically import the root CA from the Web server.
When setting up the user stores for the Identity Server and adding the server replicas, you can automatically import the root CA of the LDAP server.
If there are multiple certificates in the chain, sometimes the server does not send all the certificates in the chain. When this happens, the following message is displayed:
The root CA certificate was not returned by the server. It might be necessary to manually import the root CA certificate and possible intermediate CA certificates in order to complete the chain.
To correct this problem, you need to manually import the missing entries. The easiest method to obtain all the certificates in the chain, including the root CA, is to import the server certificate into Internet Explorer, then export the chain and import it into Access Manager. If Access Manager already has some of the certificates, it skips their import and imports only the missing certificates.
For instructions on this process, see Section 7.1.4, Using Internet Explorer to Add a Trusted Root Chain.
The following procedure works only when Internet Explorer contains the trusted root certificate of the issuer of your certificate.
In Internet Explorer, click
> > > .Click
and import your server certificate into the tab.Click
, then double-click your certificate.Click
.If the Step 5.
shows that the certificate is OK, you now have the full certificate chain available for export. Click , then continue withIf the
is not OK, you cannot use this method. Click , then contact your issuer for the certificate chain.Select the certificate, then click
> .Select
as the format and select to include the certificate chain.Click
, then specify a filename and path for the file.Click
> .Use this P7B file to import your server certificate into Access Manager.