Unable to import chained Verisign Certificate into iChain

  • 7000745
  • 25-Jun-2008
  • 26-Apr-2012

Environment

iChain 2.3
Verisign PKI certificate about to expire.

Situation

The iChain Certificate Management GUI was used to create a new certificate and generate a new CSR. With this CSR, Verisign supplied a new chained certificate to replace the existing certificate that was about to expire. It is usually easier to create a new certificate and point the accelerator to that certificate than to renew an existing certificate.
The iChain documentation supplies intructions on how to install a chained certificate.
15.3.4 Importing a CSR Signed by Intermediates
Following these intsructions to the point the certificate was imported, ConsoleOne would close automatically.
The error
GetCertificateInfo - NPKIT_x509DecodeCertificate failed (-1240)
appeared on the iChain Certificate Server console and the certificate failed to import
 
Examination of the chained certificate from Verisign showed that the intermediate CA certificate expired in 2004.
Verisign said that this was normal and it was a problem with an embedded cached certificate in Windows. However I could find no certificates with that expiration date within Intenert Explorer's cache. Verisign said another intermediate CA could be downloaded from
 
 

Resolution

This issue was resolved by extracting the individual certificates from the chained file supplied by Verisign.
 
Use Internet Explorer to import the chained certificate
-Open Tools >> Internet Options >> Content >> Certificates
Then go to the "Other People" panel and export the server certificate as a base 64 encoded X.509 .CER file.
Then go to the "Trusted Root Certification Authorities" panel and export the Verisign CA certificate as a base 64 encoded X.509 .CER file
You know which one to export by comparing the details within the chained certificate supplied by Verisign. (you can view this with Crypto Shell Extensions)
You can obtain the intermediate CA from the Verisign link above.
 
Now use the iChain Certificate Management GUI
Copy the the Intermediate CA from the Verisign link mentioned above.
Open the certificate used to generate the CSR and paste these three files into the Store Certificate panel. Apply these values and point the accelerator to this new certificate.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.