Linux Access Gateway Service is no longer able to start after an extended validation certificate was used

  • 7011588
  • 08-Jan-2013
  • 14-Jan-2014


NetIQ Access Management 3.1 SP4
NetIQ Access Management 3.2
Netiq Admin Console Certificate Management


Extended validation certificate imports fine but when we apply this configuration the Linux Access Gateway Service is no longer able to start, with reference to problems with Apache.
Looking at the Apache2 logs it complains about an invalid certificate.
The /var/log/novell-apache2/error_log showed the following:
[Tue Jan 8 18:16:31 2012] [error] Init: Unable to read server certificate from file /opt/novell/apache2/certs/cert-<name of cert>.pem
[Tue Jan 8 18:16:31 2012] [error] SSL Library Error: 218529960 error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag
[Tue Jan 8 18:16:31 2012] [error] SSL Library Error: 218595386 error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error


Fix is available in 3.2 SP1 and 3.1 SP5.
As a workaround for the moment you can do the following:
Exported the extended validation certificate from the NAM Admin console and create an Apache server certificate using the Linux openssl utilities.
openssl pkcs12 -in <name of certificate.pfx> -out cert.pem -nodes
Replace the certificate in /opt/novell/apache2/certs/<name of certificate>.pem with this manually created certificate and the Apache2 server should load without errors and the Access Gateway Service should work as expected.

Additional Information

When the pem file was created after the certificate import on the Administration Console  it contained an extra blank line that caused the issue to occur.