7.1 Resolving Certificate Import Issues

Use the following sections to resolve issues created when a full certificate chain is not imported in to Access Manager:

7.1.1 Importing an External Certificate Key Pair

The Access Manager Certificate Authority requires that all certificate key pairs in .pfx format contain the complete certificate chain. If a key pair was created with multiple CAs and the exported certificate does not contain the complete certificate chain, the file cannot be imported into Access Manager. When you try to import such a certificate, the following error message is displayed:

"Error importing certificate key pair: Error: Error: -1403

When exporting the certificate key pair, ensure that you include all the certificates in the certification path.

To ensure that your certificate contains all the intermediate certificates and contains them in the right order, import the certificate into Internet Explorer or Firefox.

  • For Internet Explorer, click Tools > Internet Options > Content > Certificates > Personal > Import.

  • For Firefox, click Tools > Options > Advanced > Encryption > View Certificates > Your Certificates > Import.

Make sure the browser contains the public key for all the intermediate CAs. Then select the certificate and export the certificate in .pfx format. In Internet Explorer, you must select to include all the certificates in the chain. In Firefox, all the certificates in the chain are automatically included.

If you receive an error when importing the certificate, the error comes from either NICI or PKI. For a description of these error codes, see Novell Certificate Server Error Codes and Novell International Cryptographic Infrastructure.

7.1.2 Resolving a -1226 PKI Error

When you create a certificate signing request, send it to a third-party issuer to be signed, and receive the server certificate from the third-party issuer. You sometimes receive a -1226 error when you try to import the signed certificate. You receive this error when the issuer does not send the trusted roots required to validate the issuer of the server certificate.

Use one of the following options to resolve this issue:

  • If the issuer included the trusted root and any intermediate certificates in a separate file or files, specify these files during the import by clicking the + character that allows you to add a trusted root or an intermediate certificate.

  • If the issuer did not send you any additional files, you can go to the issuer’s Web site, download them, then specify these files during the import by clicking the + character that allows you to add a trusted root or an intermediate certificate.

  • You can try importing the certificate into Internet Explorer, which has the trusted roots from all major CAs, then export the certificate with the required chain of trusted roots. See Section 7.1.4, Using Internet Explorer to Add a Trusted Root Chain.

7.1.3 When the Full Certificate Chain Is Not Returned During an Automatic Import of the Trusted Root

Access Manager allows you to automatically import the trusted root under the following conditions:

  • When enabling SSL communication between the Access Gateway and the Web server, you can automatically import the root CA from the Web server.

  • When setting up the user stores for the Identity Server and adding the server replicas, you can automatically import the root CA of the LDAP server.

If there are multiple certificates in the chain, sometimes the server does not send all the certificates in the chain. When this happens, the following message is displayed:

The root CA certificate was not returned by the server. It might be necessary
to manually import the root CA certificate and possible intermediate CA
certificates in order to complete the chain.

To correct this problem, you need to manually import the missing entries. The easiest method to obtain all the certificates in the chain, including the root CA, is to import the server certificate into Internet Explorer, then export the chain and import it into Access Manager. If Access Manager already has some of the certificates, it skips their import and imports only the missing certificates.

For instructions on this process, see Section 7.1.4, Using Internet Explorer to Add a Trusted Root Chain.

7.1.4 Using Internet Explorer to Add a Trusted Root Chain

The following procedure works only when Internet Explorer contains the trusted root certificate of the issuer of your certificate.

  1. In Internet Explorer, click Tools > Internet Options > Content > Certificates.

  2. Click Import and import your server certificate into the Other People tab.

  3. Click Other People, then double-click your certificate.

  4. Click Certification Path.

    • If the Certification Path shows that the certificate is OK, you now have the full certificate chain available for export. Click OK, then continue with Step 5.

    • If the Certification Path is not OK, you cannot use this method. Click OK, then contact your issuer for the certificate chain.

  5. Select the certificate, then click Export > Next.

  6. Select Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B) as the format and select Include all certificates in the certification path if possible to include the certificate chain.

  7. Click Next, then specify a filename and path for the file.

  8. Click Next > Finish.

  9. Use this P7B file to import your server certificate into Access Manager.