Troubleshooting
Problem
This issue can be seen in a number of ways. For example, a client (browser) warns of expired certificate for a valid CA certificate when using embedded Web server in IBM WebSphere Application Server.
Symptom
The warning will appear as the following in Internet Explorer:
The security certificate has expired or is not yet valid |
Unable to verify the identity of - as a trusted site. |
Cause
IBMJSSE2 sends only one certificate in its chain, the leaf (end entity) certificate. The client receives only this certificate and hence checks whether it trusts the issuer (for example, OU=www.symantec.com/CPS Incorp.....) and then checks for the corresponding certificate in the browser truststore. If the certificate is expired, or does not exist, the browser will throw a warning message.
The private key at the server end is actually associated only with the first certificate in the chain which is how it is issued by the CA. IBMJSSE2 will send only those certificates which are explicitly associated with the private key. It will not add or extend the chain further.
There are two options
- Import the intermediate and root certificate into the client browser so that the single certificate issued is trusted. This would require all clients accessing the Web application to update their truststore.
- Import a complete chain of certificates associated with the private key so that IBMJSSE2 will also send the complete chain to the client end.
Resolving The Problem
To send the complete chain (option 2 above) perform the following steps once your certificate is received from the CA.
This example will use a certificate from Symantec.
- Download the valid intermediate certificate from Symantec. The link to this should be included in the email which contained the certificate that was sent to you from Symantec.
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=AR1736
- Install the intermediate certificate in your Internet Explorer browser.
- Confirm that the Certification Path is now okay by opening your certificate (the one that was sent to you by Symantec) in Windows® .
- Install this certificate in your Internet Explorer browser.
- Choose Install Certificate. This will open the Certificate Export Wizard.
- Select Next > Next > Finish (leave all defaults).
- Open Internet Explorer, go to Tools > Internet Options > Content > Certificates > Other People. You should see your certificate installed here.
- Export this certificate as a full chain.
- Choose Certificate > Export this will open the Certificate Export Wizard.
- Click Next.
- Choose Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B).
- Select the checkbox Include all certificates in the certification path if possible.
- Click Next.
- Enter a filename (mycert.p7b) and click Next, then Finish.
- Move your new P7B certificate to the system where your WebSphere Application Server installation is located.
- Open your keystore from iKeyman and receive the original certificate that was sent to you by Symantec as you normally would. Note the name of the certificate as it is displayed under your Personal Certificates - this will be the alias_name in the next step. Close iKeyman.
- Use keytool to import the P7B certificate into your keystore.
- WebSphere Application Server V6.1 ,V7.0, V8.0 and v8.5:
- WebSphere Application Server V6.0:
- Use keytool to confirm that the full chain is installed in you keystore.
- Open keytool.out in an editor.
- Search for your alias_name.
- You should see Certificate chain length: 3 in this section just below the alias.
$WAS_HOME\java\jre\bin>keytool -import -trustcacerts -alias <alias_name> -file <path_to_p7b> -storetype pkcs12 -keystore <path_to_keystore> -storepass <keystore_password> |
You should get a message similar to the following, "Certificate reply was installed in keystore". |
$WAS_HOME\java\jre\bin>keytool -import -trustcacerts -alias <alias_name> -file <path_to_p7b> -keystore <path_to_keystore> -storepass <keystore_password> |
You should get a message similar to the following, "Certificate reply was installed in keystore". |
$WAS_HOME\java\jre\bin>keytool -list -v -storetype pkcs12 -keystore <path_to_keystore> -storepass <keystore_password> > keytool.out |
Note: For version 6.0, remove the -storetype pkcs12.
|
Was this topic helpful?
Document Information
Modified date:
15 June 2018
UID
swg21231482