How to verify whether a certificate chain is valid or not.
Article ID: KB0089169
Updated On:
| Products | Versions |
|---|---|
| TIBCO BusinessConnect | - |
| Not Applicable | - |
Description
Under certain circumstances, client would like to know why a certificate is not valid or rejected
Symptoms:
The following exception is thrown when trying to upload a certificate into BC: "Credential Save failed. Error in examining the PKCS7 envelope: java.security.cert.CertificateException: Certificate chain broken: not linked correctly" .
Cause:
The certificates in the chain are not linked correctly or there is problem with the issuer certificate.
Issue/Introduction
Resolution
We will use openssl to verify the certificate chain . The command is "Openssl verify 'cerificatename.pem' " . The certificate should be in pem format. If the certificate is in P7b format , follow the below steps using a Portecle, an open-source certificate management tool available from http://portecle.sourceforge.net.
1). Open the certificate with Portecle and click on the pem encoding button.
2). Copy the content of the pem encoding into a txt file. Repeat for any remaining certificates. Copy the content of the second certificate right after the first certificate content in the txt file.
3). Rename the file with .pem extension.
Once the certificate is ready with the .pem extension, use the "Openssl verify 'cerificatename.pem' " command to check the chain verification. If the file and chaining are good, you should get "OK" as response, or else the error would will be displayed. If you get the following exception, "unable to get the issuer cert locally", follow the procedure below.
a). Execute "Openssl version -d" . You should see output similar to the following: "/etc/pki/tls". Navigate to the tls folder, open the cert.pem and add all pem encoding content of your certificates at the end of the cert.pem.
b). Make sure that you have saved a copy of the original cert.pem.
c). Save the cert.pem and rerun the verification command and check the output.
Feedback
