Importing a certificate into Access Manager returns “-1226 0xFFFFFB36 PKI E EXPECTING CERTIFICATE”
A new certificate signing request was created in the Access Manager Admin Console > Certificates tab and sent over to the 3rd-party issuer to be signed. The 3rd-party issuer, or certificate authority, created the server certificate and e-mailed this server cert back to the customer. The issuer often, but not always, sends back the trusted roots required to validate the issuer of the server certificate. In this case, the trusted root was not sent back.
After receiving the signed server certificate, the Access Manager administrator imported this signed certificate using the following procedure:
– Go into the Certificates tab and find the name of the certificate that you gave at the time you created the certificate signing request. It should show the CSR pending.
– Open up this certificate where you have the option to Import Signed Certificate.
At this stage, the customer pointed to the file that contained the signed certificate and applied the change. Doing so resulted in the -1226 error (0xFFFFFB36 PKI E EXPECTING CERTIFICATE)
In this scenario, the trusted root information was not included resulting in an error.
A couple of options to fix the issue exist, depending on what the issuer has sent with the signed certificate.
If the certificate issuer included the trusted root and or intermediate certificate(s) in one or more seperate files, you can specify those during the import by clicking on the + character for the Add trusted root or Add intermediate certificate.
If the trusted root information was not included, you can either contact the issuer or check their website to obtain the trusted root or intermediate certificates.
An easier option would be to import the signed certificate into a browser like Internet Explorer (which has the trusted roots from all major CAs already imported into the cert store). To use this option:
1. Open up Internet Explorer.
2. Go to Tools > Internet Options.
3. On the Content tab, click the Certificates button.
You should see the certificate you imported under the Other People tab.
4. Double-click to open it up and check the Certification Path.
Many CAs have their root certificates already installed in Internet Explorer, so it could be that the missing trusted root or intermediate certificate(s) are present within Internet Explorer.
5. If the Certification Path shows “This certificate is OK,” you have the full certificate chain. In that case, close down the certificate details, hightlight it and select the Export button.
6. Click Next to begin the wizard.
7. Select “Cryptographic Message Syntax Standard – PKCS #7 Certificates (.P7B)” as the format and CHECK (YES Include) on “Include all certificates in the certification path if possible”
8. Click Next and give the file name and path.
9. Click Next and then Finished.
You should get “The export was successful.”
10. Use this P7B file containing the certificate and the full certificate chain to import into Access Manager.
If the Certification Path shows “The issuer of this certificate could not be found” you are missing trusted root and or intermediate certificate(s) within Internet Explorer as well. You will have to contact the issuer to obtain the needed trusted root or intermediate certificates.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.