Cannot store certificate signed by external CA in iChain, certificate status is "CSR in Progress"

  • 7000246
  • 29-Apr-2008
  • 26-Apr-2012

Environment

iChain 2.3

Situation

A Certificate Signing Request (CSR) is created in the iChain Administration GUI Certificate Maintenance section and signed by a third-party issuer such as Verisign, Thawte, etc. The external certificate authority (CA) sends the server certificate, but it does not include the trusted roots required to validate the issuer of the server certificate. Attempts to import the server certificate fail and the certificate status remains "CSR in Progress."

Resolution

The trusted root and intermediate certificates are needed to validate the signed certificate. Often these will be sent by the issuer in separate files or made available on the issuer's website. If the trusted root or intermediate certificates are not readily available, try importing the certificate into Internet Explorer (IE), which has the trusted roots from all major CA's, then export the needed certificates from the Certification Path that Internet Explorer uses to verify the certificate.

To export the trusted root and intermediate certificates from IE's certificate store and import the certificates in the iChain Administration GUI, follow these instructions:

NOTE: This procedure only works when Internet Explorer contains the trusted root certificate of the issuer of the certificate.
  1. In Internet Explorer, click Tools > Internet Options > Content > Certificates.

  2. Click Import and import the server certificate into the Other People tab.

  3. Click Other People, then double-click on the certificate.

  4. Click on the Certification Path tab.

    If the Certification Path shows that the certificate is OK, the full certificate chain is available for export. Continue with Step 5.

    If the Certification Path is not OK, this method will not work; in which case, contact the issuer for the certificate chain.

    If the Certification Path includes more than one intermediate certificate, this method will help to acquire the necessary certificates, but the instructions in the iChain product documentation under Section 15.3.4, Importing a CSR Signed by Intermediates will need to be followed to import the entire certificate chain.

  5. Select the top certificate shown in the path (the trusted root certificate) and click View Certificate.

  6. A new window will open for the selected certificate. Under the Details tab, click Copy to File > Next, and save the certificate as a Base-64 encoded file.

  7. If the Certification Path for the server certificate also includes an intermediate certificate, select it and click View Certificate, then export it as described in step 6.

  8. Once all required certificates in the chain are exported to separate Base-64 encoded files, they are ready to be stored in the iChain Admin GUI. In the Admin GUI, go to Home -> Certificate Maintenance.

  9. Select the previously created CSR from the list and click Store Certificate.

  10. Using a text editor like Windows Notepad, open the certificate files created in steps 5 and 6. If the files were exported correctly in step 6, they should look similar to the following:

    -----BEGIN CERTIFICATE-----
    MIIC2DCCAkGgAwIBAgIDCE43MA0GCSqGSIb3DQEBBQUAME4xCzAJBgNVBAYTAlVT
    MRAwDgYDVQQKEwdFcXVpZmF4MS0wKwYDVQQLEyRFcXVpZmF4IFNlY3VyZSBDZXJ0
    aWZpY2F0ZSBBdXRob3JpdHkwHhcNMDcxMTEzMTcxNTIwWhcNMDgxMjEzMTcxNTIw
    WjBjMQswCQYDVQQGEwJVUzENMAsGA1UECBMEVXRhaDEOMAwGA1UEBxMFUHJvdm8x
    FTATBgNVBAoTDE5vdmVsbCwgSW5jLjEeMBwGA1UEAxQVKi5pbm5lcndlYi5ub3Zl
    CCsGAQUFBwMCMA0GCSqGSIb3DQEBBQUAA4GBAJp/X8BRkJvIdO+syslL8K9iVL9/
    1u9WZScnl7ZmBHOMnE6ENr938ZcbwnItcodWWKe7zfN4roKbZSkjxyPW+5AUWooN
    3mIMrJGBWOo5pe87ChwqdSFcaZCJdeYO/6w19A8YiFIg8sJTRkdhfSI4lmTkzOcy
    bafmrssuyfKEcVcM
    -----END CERTIFICATE-----

  11. Copy the entire contents of the certificate files, including "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" tags, and paste them into the appropriate fields in the Store Certificates window:

    Paste the trusted root certificate in the CA Certificate Contents field.

    Paste the server certificate in the Server Certificate Contents field.

    If the Certification Path includes an intermediate certificate, check the Include Intermediate Certificate box and paste the intermediate certificate in the Intermediate Certificate Contents field.

    If the Certification Path includes more than one intermediate certificate, the iChain product documentation provides instructions for importing the entire certificate chain in Section 15.3.4, Importing a CSR Signed by Intermediates.

  12. After pasting the certificates in the appropriate fields, the Create button will become available. Click Create, then Apply.
The Certificate status should now be "active."