Error 1226 importing server certificate into Access Manager or iManager

  • Document ID:3598353
  • Creation Date:03-Mar-2008
  • Modified Date:14-Jan-2014
    • Micro Focus Products:
      Access Manager (NAM)
      eDirectory
      Open Enterprise Server

Environment

Novell Access Management 3.1 Access Administration
Novell Access Management 3.1 Linux Novell Identity Server
Novell Access Management 3.1 Linux Access Gateway
Importing server Certificates
Novell eDirectory 8.7.x
Novell eDirectory 8.8.7
NetIQ eDirectory 8.8.8
iManager 2.7.6
iManager 2.7.7

Situation

Importing certificate into Access Manager returns -1226 0xFFFFFB36 PKI E EXPECTING CERTIFICATE
A new certificate signing request has been created in the Access Manager Admin Console -> Certificates tab and sent over to the 3th party issuer to be signed. The 3rd party issuer, or certificate authority, created the server certificate and emailed this server cert back to the customer. The issuer will often, but not always, send back the trusted roots required to validate the issuer of the server certificate. In this case, the trusted root was not sent back.

After receiving the signed server certificate, the Access Manager administrator imported this signed certificate using the following procedure:

- Go into the Certificates tab and find back the name of the certificate that you gave it at the time you created the certificate signing request. It should show CSR pending.

- Open up this certificate where you have the option to Import Signed Certificate.

At this stage, the customer pointed to the file that contained the signed certificate and applied the change. Doing so resulted in the -1226 error (0xFFFFFB36 PKI E EXPECTING CERTIFICATE)

In this scenario the trusted root information was not included resulting in an error.

This error is not specific to Access Manager.  This error can be seen on importing a third party certificate into iManager for any application requiring a certificate.

Resolution

There are a few options to fix the issue depending on what the issuer has sent with the signed certificate.

You can ask the issuer and ask for a chained certificate.  The chained certificate is usually in a  PKCS #7 Certificates (.P7B).  If the certificate is in a .der or .cer format, the certificate has not been chained.

If the certificate issuer included the trusted root and or intermediate certificate(s) in a separate file(s) you can specify those during the import by clicking on the + character for the Add trusted root or Add intermediate certificate.  The order is important for importing certs to be chained.  First do the trusted root, then the intermediate certificate the issuer has an intermediate certificate, and finally the certificate issued to you from the provider.  In some cases multiple intermediate certificates are required.  Import each intermediate certificate in order.  Contact the certificate provider if you have any questions regarding the trusted root and intermediate certs.

If the trusted root information was not included you can either contact the issuer or check there website to obtain the trusted root and or intermediate certificate(s) and then chain the certs by importing into Access Manager or iManager.

Most certificate providers will chain the certificate for you.  Ask the provider if they can send you the chained certificate to eliminate any issues with the chaining of the certificate.  It is possible to received an incorrectly chained certificate from the provider, but that is very rare.

Another option is to import the signed certificate into a browser such as Internet Explorer (which have the trusted roots from all major CAs already imported into the cert store). Many CAs have their root certificates already installed in Internet Explorer so it could be that the missing trusted root and or intermediate certificate(s) are present within Internet Explorer.

To use this option:

  1. Open up Internet Explorer
  2. go to Tools -> Internet Options -> Content tab -> Certificates button.
  3. You should see the certificate you imported under the "Other People" tab. Double click on it to open it up and check the Certification Path.
  4. If the Certification Path shows "This certificate is OK" you have the full certificate chain, close down the certificate details, highlight it and select the Export button.
  5. Click Next to begin the wizard and then select "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)" as the format and CHECK (YES Include) on "Include all certificates in the certification path if possible", then select Next and give the file name and path, select Next and Finished. You should get "The export was successful" message.
  6. If the Certification Path shows "The issuer of this certificate could not be found" you are missing trusted root and or intermediate certificate(s) within Internet Explorer as well.  You will have to contact the issuer to obtain the needed trusted root and or intermediate certificate(s)
  7. Use this P7B file containing the certificate and the full certificate chain to import into Access Manager or iManager.