Unable to import chained Verisign Certificate into iChain

Document ID:7000745
Creation Date:25-Jun-2008
Modified Date:26-Apr-2012
- Micro Focus Products:
  iChain

Environment

iChain 2.3

Verisign PKI certificate about to expire.

Situation

The iChain Certificate Management GUI was used to create a new certificate and generate a new CSR. With this CSR, Verisign supplied a new chained certificate to replace the existing certificate that was about to expire. It is usually easier to create a new certificate and point the accelerator to that certificate than to renew an existing certificate.

The iChain documentation supplies intructions on how to install a chained certificate.

https://www.novell.com/documentation/ichain23/ichain23/index.html?page=/documentation/ichain23/ichain23/data/boqmt58.html

15.3.4 Importing a CSR Signed by Intermediates

Following these intsructions to the point the certificate was imported, ConsoleOne would close automatically.

The error

GetCertificateInfo - NPKIT_x509DecodeCertificate failed (-1240)

appeared on the iChain Certificate Server console and the certificate failed to import

Examination of the chained certificate from Verisign showed that the intermediate CA certificate expired in 2004.

Verisign said that this was normal and it was a problem with an embedded cached certificate in Windows. However I could find no certificates with that expiration date within Intenert Explorer's cache. Verisign said another intermediate CA could be downloaded from

http://www.verisign.com/support/verisign-intermediate-ca/secure-site-pro-intermediate/index.html

Resolution

This issue was resolved by extracting the individual certificates from the chained file supplied by Verisign.

Use Internet Explorer to import the chained certificate

-Open Tools >> Internet Options >> Content >> Certificates

Then go to the "Other People" panel and export the server certificate as a base 64 encoded X.509 .CER file.

Then go to the "Trusted Root Certification Authorities" panel and export the Verisign CA certificate as a base 64 encoded X.509 .CER file

You know which one to export by comparing the details within the chained certificate supplied by Verisign. (you can view this with Crypto Shell Extensions)

You can obtain the intermediate CA from the Verisign link above.

Now use the iChain Certificate Management GUI

Copy the the Intermediate CA from the Verisign link mentioned above.

Open the certificate used to generate the CSR and paste these three files into the Store Certificate panel. Apply these values and point the accelerator to this new certificate.