Error: -1227 importing a third party certificate.

  • 3884938
  • 31-Jan-2008
  • 26-Apr-2012

Environment

Novell NetWare 6.5
Novell NetWare 6.0
Novell NetWare 5.1
Novell Certificate Server

Situation

Error: -1227 importing a third party certificate.
Error: "Failed to store the public key certificate into the object (name) returned error code -1227."
Cannot import VeriSign or third party certificates.
Error: "603 Attribute not found"
-1227 Broken chain - stored certificates may be bad (or missing)
-1227 0xFFFFFB35 PKI E BROKEN CHAIN
Search: 1227 -1,227 -1227

Resolution

Source
Novell Certificate Server

Explanation
The certificate chain being stored in a Server Certificate objectServer_Certificate_Object is invalid.
The certificate being stored in a Server Certificate object cannot be validated using the certificate chain that is being stored in the Server Certificate object or that has already been stored in the Server Certificate object.
The certificate chain stored in a Server Certificate object is invalid or corrupted
Possible Cause
When the Certificate was exported, it does not contain the full Certificate chain.
Possible Solution
1. If the Certificate is in a .der or .cer file, then double click on it and install it into Internet Explorer. If it is in a reply email with the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- tags, then open notepad, past the certificate from -----BEGIN CERTIFICATE----- to -----END CERTIFICATE----- including the begin and end information into the file and save as cert.der. Then Double click on cert.der and install it into Internet Explorer.
2. Open up Internet Explorer, go to Tools, Internet Options, Content tab, Certificates button. You should see the certificate you imported under the Other People tab. Double click on it to open it up and check the Certification Path. Hopefully now you will see the full path and there will be not missing information or errors. If there are errors or missing information, try it on another workstation. If you cannot find one with the full path information listed you will likely need to contact the certificate provider to complete the path.
3. If the information in the path is correct, close down the certificate details, hightlight it and select the Export button. Click Next to begin the wizard and then select "Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7B)" as the format and CHECK (YES Include) on"Include all certificates in the certification path if possible", then select Next and give it a file name and path (such as c:\cert), then slect Next and Finished. It sould reply back with "The export wa successful"
4. Now use the cert.p7b file to complete the certificate signing as specified in TID 3033173 - How to import a Production VeriSign External Certificate into eDirectory 8.7.3, or whatever process you were trying to follow.
Note: On NetWare, after the import process is complete, you may need to point the service that is to use the certificate (IE., Apache) to the newly imported KMO object. If the certificate is to be used by the HTTPSTK stack for NRM you will need to change the load line in the autoexec.ncf file to point to this object.
Notes:
- You may get an error on import that says there is a difference of the subject line, this can be ignored.
- After Importing the certificate it may not Validate properly (in ConsoleOne), This is typically due to ConsoleOne's ability to resolve the full external certificate path properly. The Certificate may still work just fine, try it anyway and it should work.
Please note: all new enhancements and bug fixes are being placed in iManager. Should you experiance errors during this process please download the latest version of iManager, either server-based or client based, update the certificate plugins and try again.
- For subject change issues by vendors please refer to TIDs: 3033173 and 3305590.
Possible Cause
-1227 Broken Chain - The "Server Certificate Chain" is the same as an "Intermediate Certificate Authority". If you installing a VeriSign certificate you can obtain an Intermediate Certificate from VeriSign at the following link: http://www.verisign.com/support/install2/intermediate.html
Action
Contact Verisign for a different trusted root. Verisign may say to export the Trusted Root from a browser, but in many cases this trusted root will not work.

Possible Cause
The certificate was generated by an external Certificate Authority. When the server certificate was imported, the option to import a trusted root certificate was skipped.
Action
Perform the following operations:
Contact the Certificate Authority that issued the server certificate to obtain the Certificate Authority's certificate.
Using ConsoleOne*, view the Server Certificate object. Click Import.
Import the Certificate Authority's certificate as the trusted root.
Import the server's certificate as the object certificate.

Possible Cause
The certificate was generated by an external Certificate Authority. When the server certificate was imported, the server certificate was imported before the trusted root certificate.
Action
Perform the following operations:
Using ConsoleOne, view the Server Certificate object. Click Import.
Import the Certificate Authority's certificate as the trusted root.
Import the server's certificate as the object certificate.

Possible Cause
The certificate obtained from the Certificate Authority is invalid.
ActionContact the Certificate Authority.

Possible Cause
An error occurred during the creation of the server certificate.
Action
Delete the Server Certificate object and retry the operation.

Possible Cause
The Server Certificate object has been corrupted.
Action
Complete one or more of the following solutions in the order listed until the error is resolved:
Restore the NDS* partition that the corrupted Server Certificate object resides in from backup.
Delete the Server Certificate object and create a new one.

Possible Cause
An internal error occurred.
.
Action
Complete one or more of the following solutions in the order listed until the error is resolved:
Exit and restart ConsoleOne.
Unload and reload PKI.NLM.
Upgrade to the latest version of Novell Certificate Server. See Upgrading the version of Novell Certificate ServerUpgrading_the_Version_of_Novell_Certificate_Server.·.

* Novell trademark. ** Third-party trademark. For more information, see Trademarks.

Additional Information

The Trusted Root or the CSR is invalid or incompatible with each other. Most likely the proper Trusted Root is not being used (see note below).
When a customer sends in a CSR to VeriSign, they need to specifically request that the trusted root be included with the certificate. Then when importing the certificate, select the import without trusted root option. During the install the trusted root will be detected and will be used to help install the certificate.

Formerly known as TID# 10055757