ISE Certificate Chain Not Trusted By WLAN Clients

Similar Messages

• Renewed my subca now I get A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider

  Hello
  My subca certificate was about to expire so I renewed it with the same key and since then my wireless will not connect. I get the following error from NPS:
  Network Policy Server denied access to a user.
  Contact the Network Policy Server administrator for more information.
  User:
  Security ID:
  AD\4411CB8CD34A2AA$
  Account Name:
  host/4411CB8CD34A2AA.ad.***.org
  Account Domain:
  AD
  Fully Qualified Account Name:
  AD\4411CB8CD34A2AA$
  Client Machine:
  Security ID:
  NULL SID
  Account Name:
  Fully Qualified Account Name:
  OS-Version:
  Called Station Identifier:
  f4-1f-c2-e6-0e-40:***-private
  Calling Station Identifier:
  e0-06-e6-c2-96-b7
  NAS:
  NAS IPv4 Address:
  10.0.2.85
  NAS IPv6 Address:
  NAS Identifier:
  DOM-WLC1
  NAS Port-Type:
  Wireless - IEEE 802.11
  NAS Port:
  13
  RADIUS Client:
  Client Friendly Name:
  NPS Proxy 1
  Client IP Address:
  10.0.2.12
  Authentication Details:
  Connection Request Policy Name:
  Wireless Clients
  Network Policy Name:
  Wireless Clients
  Authentication Provider:
  Windows
  Authentication Server:
  DOM-DC1.ad.****.org
  Authentication Type:
  EAP
  EAP Type:
  Microsoft: Smart Card or other certificate
  Account Session Identifier:
  Logging Results:
  Accounting information was written to the local log file.
  Reason Code:
  295
  Reason:
  A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
  How do i make the policy provider trust this new certificate that was created? When i renewed the certificate everything looks good on the subca and root ca. The new certificate is not in the nps servers so i tried manually importing it and that still did
  not work. I noticed when i open the wireless network policy properties under constraints and open the Microsoft: Smart Card or other certificate eap type the new certificate is not in there. Any suggestions? Thank you!

  can you copy client certificate to NPS server and run the following command against this certificate:
  certutil -verify -urlfetch path\clientcert.cer
  and show us the output.
  Vadims Podāns, aka PowerShell CryptoGuy
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new: SSL Certificate Verifier
  Check out new:
  PowerShell File Checksum Integrity Verifier tool.

• W2012R2 - A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

  Hi all.
  I have stanalone offline RootCA, and enterprise domain SubCA on DC on Windows 2012 server. I have Windows 2003 Terminal Server, users logon to TS via smart cards - and this work fine.
  Now I added Windows server 2012 as "Terminal Server".
  Now I added Windows server 2012 R2 as "Terminal Server".
  I configured both servers identically.
  Users can logon via smart card to Windows Server 2012.
  Users CAN NOT logon via smart card to Windows Server 2012 R2.
   When user trying to logon via smart card, they have information:
  "An untrusted cartification authority was detected while processing the domain controller certificate used for authentication. Additional information..."
  I run a certutil.exe -scinfo on both Windows 2012/2012R2 servers.
  I found differences in the (~) same place in the output log.
  On Windows 2012:
  Exclude leaf cert:
     b4 44 8f fb fb b4 5f 03 39 76 dc cc e8 da 02 e0 d0 cc b6 32
   Full chain:
     c8 3d 07 12 ea 4d 0e 5a 8c 50 fc 56 2e 51 f1 68 6a 26 90 77
  Verified Issuance Policies: None
  Verified Application Policies:
       1.3.6.1.5.5.7.3.2 Client Authentication
       1.3.6.1.4.1.311.20.2.2 Smart Card Logon
   On Windows 2012 R2:
   Exclude leaf cert:
     78 7e 6c 60 3f 20 c6 f6 e8 74 c8 36 e3 d3 88 ac 12 60 41 32
   Full chain:
     b8 a9 fa 6c db 07 cd 32 86 17 8c 88 02 ba d0 4b 8c ac 2d 58
     Issuer: CN=XXX CA, OU=Certification Services, O=XX, C=XX
     NotBefore: 2013-11-22 12:42
     NotAfter: 2014-11-22 12:42
     Subject: CN=XX Test, OU=XX, OU=UXX, DC=XX, DC=com
     Serial: 7a0084f
     SubjectAltName: Other Name:Principal Name=XX@XX
     Template: Smartcard Logon Behalf 2048
     1d 2a bb dc 2a 9c 70 0d b5 35 47 44 ee 61 60 ab 71 97 66 ff
   A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)
  I run a certutil -verify xx.cer on both Servers 2012/2012R2 and on both servers have the ~exact same thing.
  Windows 2012:
  Exclude leaf cert:
     f6 0e 96 da c7 08 9a 78 12 97 a6 b6 22 df 57 9d e7 03 41 df
   Full chain:
     f0 fb 19 66 e8 6c 4f ea b4 d5 ea 6d 5e 38 54 07 b0 9f 52 96
  Verified Issuance Policies: None
  Verified Application Policies:
       1.3.6.1.4.1.311.20.2.2 Smart Card Logon
       1.3.6.1.5.5.7.3.2 Client Authentication
  Leaf certificate revocation check passed
  Windows 2012 R2:
  Exclude leaf cert:
     84 18 5b 9d 06 61 60 73 c6 37 80 f4 25 33 c4 d3 5e ef 4a 93
   Full chain:
     63 8e 9e 37 78 c9 93 bb 4d da f4 e3 4b 7e 2b 14 49 28 0f 5d
  Verified Issuance Policies: None
  Verified Application Policies:
       1.3.6.1.4.1.311.20.2.2 Smart Card Logon
       1.3.6.1.5.5.7.3.2 Client Authentication
  Leaf certificate revocation check passed
  Whether Windows 2012R2 is not trying to build a certificate path, treating smart card logon certificate as (Sub)CA certificate?
  Previous and probably wrong idea:
  The only thing that comes to my mind is my SubCA.
  I have two CA Certyficates:
  Certyficate #0 (expired)
  Certyficate #1 <- valid.
  I guess that all Windows before Windows 2012 R2 build certyficafion chain from valid (second #1) certyficate. Windows 2012 R2 take first and we have:
  "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
  [ value]  800B0112 "
  This is a bug or feature?
  How I can fix this without removal Certificate #0 from my SubCA?
  Best regards
  Jacek Marek
  MCSA Windows Server 2012

  Hi,
  Glad to hear that the issue is solved!
  Thank you very much for your sharing!
  Please feel free to let us know if you encounter any issues in the future.
  Best Regards,
  Amy

• A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.

  Hi all.
  I have stanalone offline RootCA, and enterprise domain SubCA on DC on Windows 2012 server. I have Windows 2003 Terminal Server, users logon to TS via smart cards - and this work fine.
  Now I added Windows server 2012 as "Terminal Server".
  Now I added Windows server 2012 R2 as "Terminal Server".
  I configured both servers identically.
  Users can logon via smart card to Windows Server 2012.
  Users CAN NOT logon via smart card to Windows Server 2012 R2.
  When user trying to logon via smart card, they have information:
  "An untrusted cartification authority was detected while processing the domain controller certificate used for authentication. Additional information..."
  The only thing that comes to my mind is my SubCA.
  I have two CA Certyficates:
  Certyficate #0 (expired)
  Certyficate #1 <- valid.
  I guess that all Windows before Windows 2012 R2 build certyficafion chain from valid (second #1) certyficate. Windows 2012 R2 take first and we have:
  "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider.
     [ value]  800B0112 "
  This is a bug or feature?
  How I can fix this without removal Certificate #0 from my SubCA?
  Best regards
  Jacek Marek
  MCSA Windows Server 2012

  Hi,
  I run a certutil.exe -scinfo on both Windows 2012/2012R2 servers.
  I found differences in the (~) same place in the output log.
  On Windows 2012:
  Exclude leaf cert:
    b4 44 8f fb fb b4 5f 03 39 76 dc cc e8 da 02 e0 d0 cc b6 32
  Full chain:
    c8 3d 07 12 ea 4d 0e 5a 8c 50 fc 56 2e 51 f1 68 6a 26 90 77
  Verified Issuance Policies: None
  Verified Application Policies:
      1.3.6.1.5.5.7.3.2 Client Authentication
      1.3.6.1.4.1.311.20.2.2 Smart Card Logon
  On Windows 2012 R2:
   Exclude leaf cert:
    78 7e 6c 60 3f 20 c6 f6 e8 74 c8 36 e3 d3 88 ac 12 60 41 32
  Full chain:
    b8 a9 fa 6c db 07 cd 32 86 17 8c 88 02 ba d0 4b 8c ac 2d 58
    Issuer: CN=XXX CA, OU=Certification Services, O=XX, C=XX
    NotBefore: 2013-11-22 12:42
    NotAfter: 2014-11-22 12:42
    Subject: CN=XX Test, OU=XX, OU=UXX, DC=XX, DC=com
    Serial: 7a0084f
    SubjectAltName: Other Name:Principal Name=XX@XX
    Template: Smartcard Logon Behalf 2048
    1d 2a bb dc 2a 9c 70 0d b5 35 47 44 ee 61 60 ab 71 97 66 ff
  A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478)
  I run a certutil -verify xx.cer on both Servers 2012/2012R2 and on both servers have the ~exact same thing.
  Windows 2012:
  Exclude leaf cert:
    f6 0e 96 da c7 08 9a 78 12 97 a6 b6 22 df 57 9d e7 03 41 df
  Full chain:
    f0 fb 19 66 e8 6c 4f ea b4 d5 ea 6d 5e 38 54 07 b0 9f 52 96
  Verified Issuance Policies: None
  Verified Application Policies:
      1.3.6.1.4.1.311.20.2.2 Smart Card Logon
      1.3.6.1.5.5.7.3.2 Client Authentication
  Leaf certificate revocation check passed
  Windows 2012 R2:
  Exclude leaf cert:
    84 18 5b 9d 06 61 60 73 c6 37 80 f4 25 33 c4 d3 5e ef 4a 93
  Full chain:
    63 8e 9e 37 78 c9 93 bb 4d da f4 e3 4b 7e 2b 14 49 28 0f 5d
  Verified Issuance Policies: None
  Verified Application Policies:
      1.3.6.1.4.1.311.20.2.2 Smart Card Logon
      1.3.6.1.5.5.7.3.2 Client Authentication
  Leaf certificate revocation check passed
  Any idea, or I must open case with Microsoft support?
  Best regards
  Jacek Marek
  MCSA Windows Server 2012

• "The certificate is not trusted because no issuer chain was provided" error in all browsers for all websites.

  As it says, Chrome, Firefox, and Internet Explorer all give the certificate error message for any and every website attempted - including the Firefox add-ons page. The specific error is the "no issuer chain was provided".
  1) This problem is not on my computer - it is on my mother's computer in another city. Therefore, I cannot attempt every little possibility without flying over there - I'm looking for things I can tell her to do over the phone. The problem started today. I've already given her the list of anti-malware programs to go install and run from here:
  https://support.mozilla.org/en-US/questions/982393
  Note that, of course, she will have to accept the security certificate override to get to these things - I hope this isn't bad.
  2) The problem started after she tried to use Skype, it hung for a very long time and would never log on. So she tried to reinstall it - and she said she clicked through a number of agreement screens and believes she may have installed malicious 3rd party software. This is ridiculous, is Skype now putting malware on people's computers through these bogus 3rd party add-ons at installation? I suppose it is possible Skype was hanging because of some other problem - but she did manage to reinstall Skype and got it to work (but now her internet certificates won't).
  3) She has BitDefender. I am aware that it says here:
  https://support.mozilla.org/en-US/kb/connection-untrusted-error-message
  that she should turn off SSL scanning. She turned it off, it did not solve the problem. She turned it off and restarted, it did not solve the problem. She has had it on for the past 6 months and it has never caused a problem.
  4) In addition, BitDefender reported today that it stopped a malicious program called MySearchDial.exe from attempting something it shouldn't. We went through this removal guide:
  http://malwaretips.com/blogs/start-mysearchdial-removal/
  however, the software MySearchDial was never actually installed into the windows install list, and we did not find any addons/plugins in any of the browser lists (note that Firefox add-ons cannot be accessed with a certificate error, it gives the error message but DOES NOT give you the option to add an exception so you can't access the add-ons). The only thing we found was (a) MySearchDial was default in the IE search engine list, despite there being no add-on, and (b) MySearchDial.exe was in the temp folder (now deleted). I note that I had BitDefender scan the temp folder *before* I deleted MySearchDial.exe, and it claimed no threats were found. What? It was BitDefender that warned me of it in the first place!
  5) Time and date are correct.
  6) Checked the Win 7 install log, only Skype, Skype Click-to-Call, and (for some reason) Mircosoft Visual Studio 2010 and Visual C++ were installed or altered today. I got paranoid about Click-to-call and asked her to uninstall it, but it didn't solve the problem.
  7) The OS is Win7 64bit Home.
  Anything beyond endless Malware removal programs (via list linked above) that we should try?

  The only way to know what is going on is to retrieve the certificate and check who is the issuer.<br />
  It is always possible that the server doesn't send the full certificate chain (intermediate certificates), so it might help to post a link to this website
  Check the date and time in the clock on your computer: (double) click the clock icon on the Windows Taskbar.
  Check out why the site is untrusted and click "Technical Details to expand this section.<br>If the certificate is not trusted because no issuer chain was provided (sec_error_unknown_issuer) then see if you can install this intermediate certificate from another source.
  You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates.
  *Click the link at the bottom of the error page: "I Understand the Risks"
  Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate".
  *Click the "View..." button and inspect the certificate and check who is the issuer of the certificate.
  You can see more Details like intermediate certificates that are used in the Details pane.
  If "I Understand the Risks" is missing then this page may be opened in an (i)frame and in that case try the right-click context menu and use "This Frame: Open Frame in New Tab".
  *Note that some firewalls monitor (secure) connections and that programs like Sendori or FiddlerRoot can intercept connections and send their own certificate instead of the website's certificate.
  *Note that it is not recommended to add a permanent exception in cases like this, so only use it to inspect the certificate.

• Firefox4: every add-on/extension gives the same error: "Secure Connection Failed - The certificate is not trusted because no issuer chain was provided".

  These are all certs from static.addons.mozilla.net. Even if I add a security exception it does not help
  '''Secure Connection Failed
  static.addons.mozilla.net:443 uses an invalid security certificate
  The certificate is not trusted because no issuer chain was provided
  (Error code: sec_error_unknown_issuer)
  This could be an error with the servers configuration,...
  If you have connected ...'''

  Do you have something like BrowserSafe, Browser Safeguard, or Safeguard installed on your machine?
  If so, get rid of it.

• The certificate is not trusted because no issuer chain was provided

  There is an archived thread with this question however in the many replies there isn't an explanation as to why this error is thrown on some systems and not on others and only on FireFox and not on Safari, Chrome, IE, FireFox (on Mac). Not on all Windows systems this error shows up but it shows in some window systems and in all the Linux systems that I have tried. So, is this a problem on the server or is it a FireFox problem?

  You can get this certificate is not trusted error if server doesn't send a required intermediate certificate.
  Firefox automatically stores intermediate certificates that servers send in the Certificate Manager for future usage.
  If a server doesn't send a full certificate chain then you won't get an untrusted error when Firefox has stored missing intermediate certificates from visiting a server in the past that has send it, but you do get an untrusted error if this intermediate certificate isn't stored yet.
  You can inspect the certificate chain via a site like this:
  *http://www.networking4all.com/en/support/tools/site+check/

• The certificate is not trusted because no issuer chain was provided - firefox only

  Hi,
  I'm trying to get my website:
  https://mgmt.pixafix.com/
  and I'm getting the following error:
  This Connection is Untrusted
  mgmt.pixafix.com uses an invalid security certificate.
  The certificate is not trusted because no issuer chain was provided.
  (Error code: sec_error_unknown_issuer)
  This is my website, and I've installed the certificate 2 month ago. I didn't check it using Firefox until now.
  Firefox enter all other HTTPS website. All other browser entering my https domain with no warning.
  Tested on 2 different machines:
  Ubuntu - Firefox not working, Chrome - working fine (without any warning)
  Mac - Firefox not working, Safari - working fine (without any warning)
  I've tried the solutions described here:
  https://support.mozilla.org/en-US/kb/connection-untrusted-error-message#w_the-certificate-is-not-trusted-because-the-issuer-certificate-is-unknown
  And unable to use this solution because no firewall installed:
  https://support.mozilla.org/en-US/kb/secure-connection-failed-error-message#w_the-certificate-is-not-trusted-because-no-issuer-chain-was-provided
  Thanks in advance for any help,
  Ziv

  Thanks sahilnmmt but it not helping.
  I'm downloaded the EssentialSSLCA certificate and import it into firefox using:
  Advanced > View certificate > Authorities > import
  Didn't check any checkbox there.
  Restarted my Firefox, and still getting the same message.

• Site name) uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)

  I am working with Firefox 35.0 I get the security certificate error message of site name) uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer).
  This happens on each page that I go to. I can pull the page up with no problem with Explorer. Please Help. I don't have any security software that would be stopping or scanning SSL.

  Check the date and time and time zone in the clock on your computer: (double) click the clock icon on the Windows Taskbar.
  Check out why the site is untrusted and click "Technical Details" to expand this section.
  If the certificate is not trusted because no issuer chain was provided (sec_error_unknown_issuer) then see if you can install this intermediate certificate from another source.
  You can retrieve the certificate and check details like who issued certificates and expiration dates of certificates.
  *Click the link at the bottom of the error page: "I Understand the Risks"
  Let Firefox retrieve the certificate: "Add Exception" -> "Get Certificate".
  *Click the "View..." button and inspect the certificate and check who is the <b>issuer of the certificate</b>.
  You can see more Details like intermediate certificates that are used in the Details pane.
  If <b>"I Understand the Risks"</b> is missing then this page may be opened in an (i)frame and in that case try the right-click context menu and use "This Frame: Open Frame in New Tab".
  *Note that some firewalls monitor (secure) connections and that programs like Sendori or FiddlerRoot can intercept connections and send their own certificate instead of the website's certificate.
  *Note that it is not recommended to add a permanent exception in cases like this, so only use it to inspect the certificate.

• Getting error "The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)"

  I am using site "https://www.ultimatix.net" for learning purpose. This site directs to another site for web based learning, which is "icalmscontent.ultimatix.net". It is giving error "icalmscontent.ultimatix.net uses an invalid security certificate.
  The certificate is not trusted because no issuer chain was provided.
  (Error code: sec_error_unknown_issuer)",
  and there is no button to add exception. Please help.

  hello nitin2joy, the "add exception"-button is not accessible on framed pages for security purposes (to avoid phishing/impersonating by malicious sites).
  in case the page you're trying to access is embedded in an iframe, right-click the error page, click on "this frame" > "show only this frame" and hopefully you can add an exception in the next step. this should only be necessary once if you choose to permanently store the exception.

• Cannot complete the certificate chain: No trusted cert found

  Hi:
  I am currently working on a application that makes a web service call to a third party service provider. I am using weblogic 10 application server and session bean makes a call to the gateway class which in turn initiates a web service call using SSL layer. I get the following error when gateway class is trying to make a SSL connection with the third party server. I have set the keystore to be custom and java standard and both Identity key store and turst key store points to C:\bea10\jdk160_05\jre\lib\security\cacerts key store. The interesting thing is when I tried with different other URLs www.bankofamerica.com and www.freshdirect.com
  I get the same error. I am not sure why certificate validation fails even if it is a trusted CA and I would believe java keystore should contain all valid Certificate authorities such as verisign, Secure Trust etc. The third party certificate is issued by secure trust CA which in turn issued by Entrust.net
  Can someone shed me somelight whats going on here? I also took a look at thread Re: SSL issues tried to import the server certificates into java keystore. but nothing worked out. Appreciate your help.
  Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
  FINE: Cannot complete the certificate chain: No trusted cert found
  Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
  FINE: Validating certificate 0 in the chain: Serial number: 805312903
  Issuer:C=US, O=SecureTrust Corporation, CN=SecureTrust CA
  Subject:C=CA, ST=Ontario, L=Toronto, O=Givex Corp., CN=*.givex.com
  Not Valid Before:Wed Nov 21 09:56:03 EST 2007
  Not Valid After:Sat Nov 20 09:56:03 EST 2010
  Signature Algorithm:SHA1withRSA
  Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
  FINE: Validating certificate 1 in the chain: Serial number: 1116160170
  Issuer:C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server Certification Authority
  Subject:C=US, O=SecureTrust Corporation, CN=SecureTrust CA
  Not Valid Before:Sun Oct 01 01:00:00 EDT 2006
  Not Valid After:Tue Nov 26 13:25:48 EST 2013
  Signature Algorithm:SHA1withRSA
  Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
  FINE: NEW ALERT with Severity: FATAL, Type: 42
  java.lang.Exception: New alert stack
       at com.certicom.tls.record.alert.Alert.<init>(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
       at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
       at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
       at com.certicom.tls.record.WriteHandler.write(Unknown Source)
       at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
       at weblogic.webservice.binding.soap.HttpClientBinding.writeToStream(HttpClientBinding.java:436)
       at weblogic.webservice.binding.soap.HttpClientBinding.send(HttpClientBinding.java:224)
       at weblogic.webservice.core.handler.ClientHandler.handleRequest(ClientHandler.java:38)
       at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:144)
       at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:235)
       at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:146)
       at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:473)
       at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:459)
       at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:306)
       at com.freshdirect.client.TransPortType_Stub.getBalance(TransPortType_Stub.java:254)
       at com.freshdirect.payment.ejb.GivexPaymentServiceImpl.getBalance(GivexPaymentServiceImpl.java:59)
       at com.freshdirect.payment.ejb.GivexServerGateway.getBalance(GivexServerGateway.java:211)
       at com.freshdirect.payment.ejb.GivexServerGateway.main(GivexServerGateway.java:388)
  Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
  FINE: write ALERT, offset = 0, length = 2
  Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
  FINE: close(): 16720915
  Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
  FINE: close(): 16720915
  Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
  FINE: SSLIOContextTable.removeContext(ctx): 29310343
  Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
  FINE: close(): 16720915
  Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
  FINE: close(): 16720915
  Sep 16, 2009 6:18:17 PM weblogic.diagnostics.debug.DebugLogger debug
  FINE: SSLIOContextTable.removeContext(ctx): 29310343
  <Sep 16, 2009 6:18:17 PM EDT> <Info> <WebService> <BEA-220048> <A exception was thrown from the client handler sending a JAXM message.>
  <Sep 16, 2009 6:18:17 PM EDT> <Info> <WebService> <BEA-220034> <A stack trace associated with message 220048 follows:
  javax.net.ssl.SSLKeyException: FATAL Alert:BAD_CERTIFICATE - A corrupt or unuseable certificate was received.
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireException(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.fireAlertSent(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.fireAlert(Unknown Source)
       at com.certicom.tls.record.handshake.ClientStateReceivedServerHello.handle(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessage(Unknown Source)
       at com.certicom.tls.record.handshake.HandshakeHandler.handleHandshakeMessages(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.interpretContent(Unknown Source)
       at com.certicom.tls.record.MessageInterpreter.decryptMessage(Unknown Source)
       at com.certicom.tls.record.ReadHandler.processRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readRecord(Unknown Source)
       at com.certicom.tls.record.ReadHandler.readUntilHandshakeComplete(Unknown Source)
       at com.certicom.tls.interfaceimpl.TLSConnectionImpl.completeHandshake(Unknown Source)
       at com.certicom.tls.record.WriteHandler.write(Unknown Source)
       at com.certicom.io.OutputSSLIOStreamWrapper.write(Unknown Source)
       at java.io.BufferedOutputStream.flushBuffer(BufferedOutputStream.java:65)
       at java.io.BufferedOutputStream.flush(BufferedOutputStream.java:123)
       at weblogic.webservice.binding.soap.HttpClientBinding.writeToStream(HttpClientBinding.java:436)
       at weblogic.webservice.binding.soap.HttpClientBinding.send(HttpClientBinding.java:224)
       at weblogic.webservice.core.handler.ClientHandler.handleRequest(ClientHandler.java:38)
       at weblogic.webservice.core.HandlerChainImpl.handleRequest(HandlerChainImpl.java:144)
       at weblogic.webservice.core.ClientDispatcher.send(ClientDispatcher.java:235)
       at weblogic.webservice.core.ClientDispatcher.dispatch(ClientDispatcher.java:146)
       at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:473)
       at weblogic.webservice.core.DefaultOperation.invoke(DefaultOperation.java:459)
       at weblogic.webservice.core.rpc.StubImpl._invoke(StubImpl.java:306)
       at com.freshdirect.client.TransPortType_Stub.getBalance(TransPortType_Stub.java:254)
       at com.freshdirect.payment.ejb.GivexPaymentServiceImpl.getBalance(GivexPaymentServiceImpl.java:59)
       at com.freshdirect.payment.ejb.GivexServerGateway.getBalance(GivexServerGateway.java:211)
       at com.freshdirect.payment.ejb.GivexServerGateway.main(GivexServerGateway.java:388)
  >

  I would believe java keystore should contain all valid Certificate authorities such as verisign, Secure Trust etc. The third party certificate is issued by secure trust CA which in turn issued by Entrust.net<You can list the contents of your cacerts file to see if exact matching version of the SecureTrust signer cert is present.
  You can also use a simple java program to test whether you can connect to the 2 servers that your're having issues with:
  import java.net.*;
  import java.io.*;
  public class SSL_Test {
  public static void main(String[] args) throws Exception {
  URL sslURL = new URL("https://someserver.com/someservice.wsdl");
  BufferedReader in = new BufferedReader( new InputStreamReader( sslURL.openStream()));
  String inputLine;
  while ((inputLine = in.readLine()) != null)
  System.out.println(inputLine);
  in.close();
  compile and run with something like:
  javac SSL_Test.java
  # all on one line
  java -D -Dssl.debug=true -Dweblogic.StdoutDebugEnabled=true -Djavax.net.ssl.trustStore=$JAVA_HOME/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=***** -Djavax.net.debug=ssl,handshake SSL_Test
  This just tests whether your truststore can trust the server cert.

• Site Recovery Manager (SRM) v6.0 fails to pair sites - certificate chain not verified

  I have used the default self-signed certificates throughout the vCenter and SRM setup.  When going to pair the vCenters, I get "Server certificate chain not verified".  These are 2 new VCSA 6.0 VMs (embedded PSCs for each) and 2 new Windows 2012 R2 servers to run SRM 6.0.  I can view the Site in each respective vCenter but can't pair them.  Does anyone have suggestions?  We have tried valid SSL certs before on our original 6.0 deployment and continuously run into these certificate chain not valid errors.

  Yes, I always used the FQDN.  This issue was actually the result of having an incorrect vCenter topology.  The error resulted in us spending hours with support all around valid or self-signed certs.  In the end, I had to completely redeploy new VCSA 6.0 appliances and follow the 3rd recommend topology.
  http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2108548
  With this setup, it also links the vCenters and it seems to be much quicker than Linked Mode in previous versions.  I was able to pair the sites in SRM without issue.  FYI, I am using self-signed certs all around at the moment.  SRM is very finicky about trust with SSL certs so I won't try implementing valid SSL certs until I get some working failovers.

• Root certificate is not trusted

  Hi!
  I have installed the internatlly signed certificates according to steps in the Oracle documentation, however, I still ge the error that "This CA Root certificate is not trusted. To enable trust, install this certificate in the Trusted Root Certification Authorities store".
  Below is the error I receive when starting UCM server:
  <27-Dec-2011 13:39:18 o'clock CET> <Notice> <Security> <BEA-090898> <Ignoring th
  e trusted CA certificate "CN=VeriSign Universal Root Certification Authority,OU=
  (c) 2008 VeriSign\, Inc. - For authorized use only,OU=VeriSign Trust Network,O=V
  eriSign\, Inc.,C=US". The loading of the trusted certificate list raised a certi
  ficate parsing exception PKIX: Unsupported OID in the AlgorithmIdentifier object
  : 1.2.840.113549.1.1.11.>
  I get this error when I click on the certificate in the browser. Below are the steps I performed. Can anyone help me understand, perhaps, I import my certificates incorrectly?
  1. I've created a custom keystore using the following command:
  keytool -genkey -alias mykey -keyalg RSA -keysize 2048 -dname “CN=<domain name like test.com etc>, OU=<unite like Customer Support etc>, O=<your organization>, L=<your location>, ST=<state>, C=<country code like US>” -keystore identity.jks
  2. Next, I generated a certificate sign-in request using this command:
  keytool -certreq -alias mykey -file cert.csr -keystore identity.jks
  3. After I received three certificates signed in by our internatl authority, main, intermediate, root. I imported each one of them.
  4. I inserted those one by one into my custom store generated during step1 first. I used the following command for each certificate:
  keytool -import -trustcacerts -keystore mystore.jks -storepass password -alias Root -import -file Trustedcaroot.txt
  5.I also inserted all three into JAVA_HOME cacerts file, located on C:/Program Files/Java/jrockit.../jre/lib/security/cacerts using the same command as in step 4.
  Next, I configured UCM_server 1 KEYSTORE to use Custom Identity and Java Trust. and pointed Custom Identity to my custom keystore file created in step1 and Java Trust to cacerts file updated in step5.
  Despite of all steps above I cannot get the certificates to work. When I look at the certificate, it tells me that "This CA Root certificate is not turested. To enable trust, install this certificate in the Trusted Root Certification Authorities store".
  Edited by: 867498 on 27-Dec-2011 05:45

  I've managed to get rid of the error, however the certificate still does not reflect the trusted chain and doesn't point to the "Root" certificate. Any ideas?

• Firefox 24.0 on OSX gives erroneous "certificate is not trusted" message

  I recently did a "reset" of Firefox (24.0) on my iMac OS x (10.8). Everything appears to be working much better, but I cannot access the Facebook Freecell Project game as Firefox determined "This Connection is Untrusted" I have been going to this game website for a long time and never had a problem before doing the "reset". I can also access the Facebook FreeCell Project game website on both Safari and Chrome without a problem.
  Facebook Freecell Project URL
  https://apps.facebook.com/freecellproject/?fb_source=bookmark_apps&ref=bookmarks&count=0&fb_bmpos=2_0
  Technical Details
  freecellproject.com:45466 uses an invalid security certificate.
  The certificate is not trusted because no issuer chain was provided.
  (Error code: sec_error_unknown_issuer)
  DigiCert and SSLShopper verified the certificate for this website is valid
  Symantic verified the certificate for "apps.facebook.com/freecellproject" is valid

  corel: renaming the secmod.db file and reloading the cert solved the problem as I can now access the Facebook FreeCell Project. Thank you very much

• Simple SSL test: failing with "The certificate is not trusted ..."

  WebLogic 10.3.4 on Win7.
  I created a new domain and enabled SSL,with listen ports 7001 and 7002 for http and https respectively.
  I deployed a trivial webapp whose main page runs in http, but it opens an iframe with https for a different page in the app.
  I loaded the main page, but the iframe fails to load, giving the following error:
  The certificate is not trusted because no issuer chain was provided.
  (Error code: sec_error_unknown_issuer)
  What is the easiest path to get this working?

  Hi David,
  I dont think that the Demo Certificate shall cause the issue.You can enable the SSL debug in weblogic and check what exactly is wrong,while loading the iframe window.
  Error code: sec_error_unknown_issuer
  Moreover,you can try to add the root certificate to your IE browser and check it
  Tools -> Internet options -> content ->Certificates ->
  After your import,You can verify the same by checking it from the list and then verify by accessing it again