Environment
Novell Access Management 3.1 Linux Novell Identity Server
Novell Access Management 3.1 Linux Access Gateway
Importing server Certificates
Situation
Resolution
There are a few options to fix the issue depending on what the issuer has sent with the signed certificate.
You can ask the issuer and ask for a chained certificate. The chained certificate is usually in a PKCS #7 Certificates (.P7B). If the certificate is in a .der or .cer format, the certificate has not been chained.
If the certificate issuer included the trusted root and or intermediate certificate(s) in a separate file(s) you can specify those during the import by clicking on the + character for the Add trusted root or Add intermediate certificate. The order is important for importing certs to be chained. First do the trusted root, then the intermediate certificate the issuer has an intermediate certificate, and finally the certificate issued to you from the provider. In some cases multiple intermediate certificates are required. Import each intermediate certificate in order. Contact the certificate provider if you have any questions regarding the trusted root and intermediate certs.
If the trusted root information was not included you can either contact the issuer or check there website to obtain the trusted root and or intermediate certificate(s) and then chain the certs by importing into Access Manager or iManager.
Most certificate providers will chain the certificate for you. Ask the provider if they can send you the chained certificate to eliminate any issues with the chaining of the certificate. It is possible to received an incorrectly chained certificate from the provider, but that is very rare.
Another option is to import the signed certificate into a browser such as Internet Explorer (which have the trusted roots from all major CAs already imported into the cert store). Many CAs have their root certificates already installed in Internet Explorer so it could be that the missing trusted root and or intermediate certificate(s) are present within Internet Explorer.
To use this option:
- Open up Internet Explorer
- go to Tools -> Internet Options -> Content tab -> Certificates button.
- You should see the certificate you imported under the "Other People" tab. Double click on it to open it up and check the Certification Path.
- If the Certification Path shows "This certificate is OK" you have the full certificate chain, close down the certificate details, highlight it and select the Export button.
- Click Next to begin the wizard and then select "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)" as the format and CHECK (YES Include) on "Include all certificates in the certification path if possible", then select Next and give the file name and path, select Next and Finished. You should get "The export was successful" message.
- If the Certification Path shows "The issuer of this certificate could not be found" you are missing trusted root and or intermediate certificate(s) within Internet Explorer as well. You will have to contact the issuer to obtain the needed trusted root and or intermediate certificate(s)
- Use this P7B file containing the certificate and the full certificate chain to import into Access Manager or iManager.