Unable to build valid certificate chain

Similar Messages

• Adobe Air Apps for OS X: Unable to build a valid certificate chain for the signer. // Code Signing on OS X 10.10 Yosemite

  Hi,
  I created several OS X Apps using Adobe Air. That worked quite well before. Now I have do update my OS X Apps - therefore I also needed update my certificates. [ I'm using Flash CC 2014 on OS X Yosemite 10.10 ]. But whatever I do it doesn’t work anymore. I always get this Message saying:
  Unable to build a valid certificate chain for the signer.
  I googled a lot and the only "guide" I found is this post (from April 2013) about code singing - http://scottgaertner.com/code_signing/
  I’m not used to deal with this kind of stuff (CA etc.) - so it's quite confusing to me.
  Would anybody please be so kind and tell me what I have to do?
  Is there any instruction from Adobe? (I didn't find one yet) 
  A step by step instruction for absolute dummies would be great!
  Best regards and thank you in advance
  Jan

  Hi Mukesh,
  I installed the Flash CC 2014 update and added some Certificates from Apple to my Keychain. Now EVERYTHING works fine again!! :-)
  Thank you very much for the Update! :-) Good job!
  Best regards
  Jan

• Error message generating Adobe Air output Unable to build a valid certificate chain for the signer

  error message generating Adobe Air Output: Unable to build a valid certificate chain for the signer.

  Are you talking about AIR Help produced by RoboHelp or an AIR application that you are creating?
  If the latter, please see the notice at http://forums.adobe.com/community/robohelp/airhelp
  If you are using RoboHelp, which version?
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• Code signing cert error using Digicert - Unable to build a valid certificate chain for the signer

  Steps to fix this error on code signing adobe air using .p12 cert from Digicert - Unable to build a valid certificate chain for the signer
  a. Open Firefox and browse to https://www.digicert.com/digicert-root-certificates.htm
  b. On the middle of the page, download -
  DigiCert Assured ID Code Signing CA-1
  Valid until: 10/Feb/2026
  Serial #: 07:F4:73:6F:AF:EF:40:8A:1F:66:40:F2:65:D1:0A:C1
  Thumbprint: B170A10819BEA936905D719E643399783E1F4567
  Download
  c. Install the cert in Firefox
  d. Once done, export again the code signing cert from digicert, through (click Firefox -> Preferences -> View Certificates -> HIghlight the digicert code signing cert -> click Backup)
  e. Done, the newly exported file should now have the valid certificate chain and that should fix the error "Unable to build a valid certificate chain for the signer"
  Even though this is from Digicert, this should also work for other Certificate Authority providers assuming you download your provider's root cert for code signing.
  Regards,
  Reigner S. Yrastorza

  Are you talking about AIR Help produced by RoboHelp or an AIR application that you are creating?
  If the latter, please see the notice at http://forums.adobe.com/community/robohelp/airhelp
  If you are using RoboHelp, which version?
  See www.grainge.org for RoboHelp and Authoring tips
  @petergrainge

• Unable to build a valid certificate chain for the signer

  Updating an AIR application after a few years and needed a new signing certificate which I purchased from Comodo.  Imported it successfully into Keychain Access and exported it as a pfx file.  When I identified this certificate to Flash Builder it went all the way through the build process and then came up with the error "Unable to build a valid certificate chain for the signer".
  I can see there was a discussion on this matter in October 2011 but this did not seem to answer my question as that guy was trying to use an Apple Dev Centre key rather than paying for one like I did.
  TIA
  David

  In Keychain Access, command-click your Class 2/3 certificate, the CA's intermediate certificate, and the CA's root certificate before hitting export.
  Short guide: Code Signing Certificates for Adobe Air in OS X

• Error creating AIR file: Unable to build a valid certificate chain for the signer.

  Hi, My boss got a certificate from Thawte, and I'm getting this error message when building my AIR app.
  Error creating AIR file: Unable to build a valid certificate chain for the signer.
  I'm on windows XP.
  thanks,
  steve

  To manage your code signing certificate, please see
  http://www.adobe.com/devnet/air/articles/signing_air_applications_print.html
  The error you are seeing is typically caused by exporting a cert without the trust chain.   On Windows, in IE, you can manage your keystore by going to
  Internet Options > Content > Certificates
  When you export the certificate needed for signing your app, be sure to check “Include all certificates in the certificate path, if possible”.

• SunPKCS11's keystore requirements (fails to build certificate chain)

  According to http://java.sun.com/javase/6/docs/technotes/guides/security/p11guide.html#KeyStoreRestrictions in order to build a certificate chain, SunPKCS11 performs the following to match certificates:
  From the end entity certificate, a call fo C_FindObjectsInit is made with a search template that includes the following attributes:
  CKA_TOKEN = true
  CKA_CLASS = CKO_CERTIFICATE
  CKA_SUBJECT = [DN of certificate issuer]
  This matching fails for an etoken (opensc/pkcs15, key and certs stored with keytool -importkeystore from jks) containing the following objects, where the issuer's DN is CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  Private RSA Key [Private Key]
  Com. Flags : 3
  Usage : [0x4], sign
  Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
  ModLength : 1024
  Key ref : 16
  Native : yes
  Path : 3f005015
  Auth ID : 01
  ID : 612d736974
  X.509 Certificate [a-sit]
  Flags : 2
  Authority: no
  Path : 3f0050153178
  ID : 612d736974
  X.509 Certificate [Certificate]
  Flags : 2
  Authority: no
  Path : 3f005015313a
  ID : 636e3d766572697369676e20636c617373203320636f6465207369676e696e6720323030342063612c6f753d7465726d73206f66207573652061742068747470733a2f2f7777772e766572697369676e2e636f6d2f7270612028632930342c6f753d766572697369676e207472757374206e6574776f726b2c6f3d76657269
  The end entity certificate is successfully matched to the key:
  Version: V3
  Subject: CN=Zentrum fuer sichere Informationstechnologie - Austria (A-SIT), OU=Digital ID Class 3 - Java Object Signing, O=Zentrum fuer sichere Informationstechnologie - Austria (A-SIT), L=Vienna, ST=Vienna, C=AT
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5
  Key: Sun RSA public key, 1024 bits
  modulus: 113647510668539930848910584051009146136267080950854001463338500293556842878352765608061940674763417364058781591049348918719586172693823356224986624474642218762804163195838659801763621964100792207693593891254043592410389875992114868414436934974159621776873147367719845947683002652939166210516092495059090352681
  public exponent: 65537
  Validity: [From: Thu Nov 20 01:00:00 CET 2008,
                 To: Mon Nov 21 00:59:59 CET 2011]
  Issuer: CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
  SerialNumber: [    17e26e45 7f8659ef e6cf3ef5 52fa1224]
  Certificate Extensions: 9
  [1]: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false
  AuthorityInfoAccess [
  [accessMethod: 1.3.6.1.5.5.7.48.1
     accessLocation: URIName: http://ocsp.verisign.com, accessMethod: 1.3.6.1.5.5.7.48.2
     accessLocation: URIName: http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer]
  [2]: ObjectId: 2.5.29.35 Criticality=false
  AuthorityKeyIdentifier [
  KeyIdentifier [
  0000: 08 F5 51 E8 FB FE 3D 3D 64 36 7C 68 CF 5B 78 A8 ..Q...==d6.h.[x.
  0010: DF B9 C5 37 ...7
  [3]: ObjectId: 1.3.6.1.4.1.311.2.1.27 Criticality=false
  Extension unknown: DER encoded OCTET string =
  0000: 04 08 30 06 01 01 00 01 01 FF ..0.......
  [4]: ObjectId: 2.5.29.32 Criticality=false
  CertificatePolicies [
  [CertificatePolicyId: [2.16.840.1.113733.1.7.23.3]
  [PolicyQualifierInfo: [
    qualifierID: 1.3.6.1.5.5.7.2.1
    qualifier: 0000: 16 1C 68 74 74 70 73 3A   2F 2F 77 77 77 2E 76 65  ..https://www.ve
  0010: 72 69 73 69 67 6E 2E 63   6F 6D 2F 72 70 61        risign.com/rpa
  [5]: ObjectId: 2.16.840.1.113730.1.1 Criticality=false
  NetscapeCertType [
  Object Signing
  [6]: ObjectId: 2.5.29.19 Criticality=false
  BasicConstraints:[
  CA:false
  PathLen: undefined
  [7]: ObjectId: 2.5.29.37 Criticality=false
  ExtendedKeyUsages [
  codeSigning
  [8]: ObjectId: 2.5.29.31 Criticality=false
  CRLDistributionPoints [
  [DistributionPoint:
  [URIName: http://CSC3-2004-crl.verisign.com/CSC3-2004.crl]
  [9]: ObjectId: 2.5.29.15 Criticality=true
  KeyUsage [
  DigitalSignature
  Algorithm: [SHA1withRSA]
  Signature:
  0000: 93 57 89 4A 4E 63 16 29 73 92 F1 D3 C7 B3 3C 87 .W.JNc.)s.....<.
  0010: C9 FB 22 52 DD DD 59 AB 3A 63 E3 65 8E 34 D4 C3 .."R..Y.:c.e.4..
  0020: 4E A0 6D 8E BB 89 DD 97 CE 63 2C 9F 43 CF 1F 55 N.m......c,.C..U
  0030: 39 74 32 5E 75 93 91 57 A3 63 F7 AD F3 5D 6F C7 9t2^u..W.c...]o.
  0040: D7 CB A7 8B 79 43 C6 00 2E C8 AD E1 D5 A7 95 97 ....yC..........
  0050: 21 AD 9E 7E 58 05 A0 80 5D 27 0E FA B6 6E 41 58 !...X...]'...nAX
  0060: 68 34 25 F7 EB CE 17 62 CE 48 A0 32 2B 79 50 14 h4%....b.H.2+yP.
  0070: E0 A0 1E 69 35 66 51 D7 E0 C7 BA BF 6B E4 9A B4 ...i5fQ.....k...
  0080: 22 36 C9 D2 E9 20 4D 10 8F 82 28 CE 3C 2C 8D 3C "6... M...(.<,.<
  0090: 51 73 AA EF 30 01 8A 3C CF A8 4F 25 60 DF 59 95 Qs..0..<..O%`.Y.
  00A0: EC 12 D8 1F 40 8A 13 AD E8 D5 D9 31 8C 3E CE C5 [email protected].>..
  00B0: 78 C8 C3 BA 33 07 54 78 93 B0 3E 2F 26 C8 83 64 x...3.Tx..>/&..d
  00C0: 78 B8 67 59 A2 7E 74 97 D9 DE 5C D9 E9 CC 83 8D x.gY..t...\.....
  00D0: A3 E4 11 7C E4 03 E2 01 6C EA 11 AB 13 37 A6 7D ........l....7..
  00E0: 12 CE 21 2F 62 5D 15 A1 CB 4D 31 1A CC CE A2 9D ..!/b]...M1.....
  00F0: 3C B2 D2 6C 53 D4 5C 9B B4 D4 72 E8 03 D0 A8 4E <..lS.\...r....N
  ]

  KeyStore ks = KeyStore.getInstance("JKS");What's that for?
  ks.load(null,null);It's empty.
  X509Certificate cert1 = (X509Certificate)cf.generateCertificate(inStream);So here you have an X509Certificate in 'cert1'.
  ks.setCertificateEntry("root", cert1);So here you put it into the KeyStore.
  X509Certificate rootCert = (X509Certificate)ks.getCertificate("root"); And here you get it out again.
  Why? What's the difference between 'rootCert' and 'cert1'?

• Creating Certificate Chains

  Hi friends,
  Could any one please tell me how I could programatically create a certificate chain?
  Reading through the JDK API docs, I found that there is java.security.cert.CertificateFactory.generateCertPath() and java.security.cert.CertPathBuilder.build() to build the CertPath object.
  I would like to know -
  a. Which among the 2 methods should be used to build a certificate chain?
  b. How do I get the certificate chain into a keystore for me to use it for digital signature?
  All help is most welcome.
  Thanks all.

  There's a lot of Sun documentation besides the API...
  Key Management:
  [http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#KeyManagement|http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#KeyManagement]
  Signature:
  [http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#Signature|http://java.sun.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#Signature]
  PKI/CertPath stuff:
  [http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html|http://java.sun.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html]
  Those should help you out.

• Problem with Java keystore and certificates (unable to find valid cert path

  Our program is made so that when a certificate is not signed by a trusted Certification Authority, it will ask the user if he/her wishes to trust the certificate or not. If they decide to trust the certificate, it will accept the self signed certificate and import it into the keystore and then use that certificate to log the user in. This works fine. It will import the certificate into the keystore and use the specified ip address to establish a connection with the LDAP server (Active Directory in our case) and authenticate properly. However, the problem arises when we then try and connect to a different ip address (without restarting tomcat, if we restart tomcat, it works fine...). It imports the certificate into the keystore fine, but always gives the exception
  "Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target"
  and does not authenticate with our LDAP server (which is Active Directory). The problem seems to be that it is no longer looking at the System.setProperty("javax.net.ssl.trustStore", myTrustStore);
  I have tried multiple times to just reset this property and try and "force" it to read from my specified trust file when this error happens. I have also imported the certificates directly into the <java_home>/jre/lib/security/cacerts and <java_home>/jre/lib/security/jssecacerts directories as the java documentation says that it will look at those directories first to see if it can find a trusted certificate. However, this does not work either. The only way that I can get this to work is by restarting tomcat all together.
  If both of the certificates are already in the keystore before tomcat is started up, everything will work perfect. Again, the only problem is after first connecting to an IP address using TLS and importing the certificate, and then trying to connect to another IP address with a different certificate and import it into the keystore.
  One of the interesting features of this is that after the second IP address has failed, I can change the IP address back to the first one that authenticated successfully and authenticate successfully again (ie
  I use ip 1.1.1.1, import self signed certificate, authenticates successfully
  login with ip 2.2.2.2 import self signed certificate, FAILS
  login again with 1.1.1.1 (doesn't import certificate because it is already in keystore) successfully authenticates
  Also, I am using java 1.5.0_03.
  Any help is greatly appreciated as I've been trying to figure this out for over a week now.
  Thanks

  Please don't post in threads that are long dead and don't hijack other threads. When you have a question, start your own topic. Feel free to provide a link to an old post that may be relevant to your problem.
  I'm locking this thread now.

• Certificate validation against multiple certificate chain

  Hello everyone,
  I would like to have your opinion on a specific use case of the java.security.cert API.
  I've a set of trusted certificate chains provided in a trusted way by a CA. An example of a chain would be: R->I1->I2, R being a root certificate and I1/I2 being intermediates CAs.
  I receive messages from some untrusted sources. These message are signed using some end-user certificate, let's call it U. The certificate U is only transmitted along the message (ie. it's not available from a trusted source).
  Verifying the validity of the signed message is therefore a two step process:
  - Check that the signature made by U is valid.
  - Check that a valid certificate path could be build from U (querying a CRL if needed) back to a trusted anchor, such as R->I1->I2->U.
  Now, my question is, how to efficiently achieve the latter one with the java.security.cert API?
  The most straightforward way i've found so far to validate a certificate against a set of certificate chain is to use the CertPathBuilder interface:
  1) I build a CertStore (of type "Collection") with all my trusted certificate chain in it.
  2) I add the received U certificate to the store.
  3) I try to build a certificate path specifying "U" as the target certificate in the search constraints (X509CertSelector).
  If the algorithm find a valid path, it returns it, and U could possibly be kept in the store for future use.
  If no valid path could be deduced, U is removed from the store, and a corresponding error is returned.
  This sounds like a good way of doing ?
  All suggestions are most welcome,
  Thanks,
  M. H.

  Ok, I think I've found my solution.
  Actually, if you specify a target certificate using the X509CertSelector.setCertificate methode, the said certificate don't have to be in a CertStore in order to perform the validation:
  // the 'store' variable contains only the trusted certificate chains.
  CertStore store = CertStore.getInstance("Collection",
            new CollectionCertStoreParameters(certCol));
  CertPathBuilder cpb = CertPathBuilder.getInstance("PKIX");
  X509CertSelector targetConstraints = new X509CertSelector();
  targetConstraints.setCertificate(userCertificate);
  PKIXBuilderParameters params = new PKIXBuilderParameters(anchors, targetConstraints);
  params.addCertStore(store);
  /* params.setRevocationEnabled(false); */ // If needed.
  PKIXCertPathBuilderResult result = (PKIXCertPathBuilderResult) cpb.build(params);
  CertPath path = result.getCertPath();This is it, on validation, the "path" variable will contains the complete certificate chain including the tested certificate.
  I've still a problem with OCSP validations though, but i'll create a new topic for that...
  Thank you for your time, ejp,
  ++
  Edited by: marc_h on May 14, 2010 5:54 AM

• How do I control the certificate chain construction performed by Acrobat Reader during digital signature validation?

  I work in the federal government where there are many certificate authorities and cross certified certificate authorities. Acrobat Reader is building hundreds of certificate chains in attempting to find a trusted root for the signers certificate. It is taking 4 minutes to validate the signature!
  The image is the 15th screen shot showing three chains per screen shot. The window elevator has barely moved!

  I am now using Adobe Acrobat Reader 11. Signature validation is much better! Perhaps 10 seconds. The only issue I see that the detail pages have misleading messages. The Signature Properties window has no complaints about the signature but the Show Signer's Certificate page still complains about not valid trust anchor.

• Certificate chain validation

  I got a strange behaviour.
  I created a keystore with a key entry and a chain of 3 certificate:
  mycert -> intermediary CA cert -> root CA cert
  when I validate this chain with utils.ValidateCertChain utility it works:
  > java -cp weblogic.jar utils.ValidateCertChain -jks mykey newkeystore.jks
  Certificate chain appears valid
  But when I exported the 3 certificates (keytool -export) in 3 .pem files, concatenating them
  > cat mycert.pem intca.pem rootca.pem > chain.pem
  and I retry validation
  > java -cp weblogic.jar utils.ValidateCertChain -pem chain.pem
  it doesnt' work:
  Certificate chain is invalid
  How should I concatenate the pem files ?
  Edited by pacionet at 01/23/2008 7:44 AM
  Edited by pacionet at 01/23/2008 7:46 AM

  I got a strange behaviour.
  I created a keystore with a key entry and a chain of 3 certificate:
  mycert -> intermediary CA cert -> root CA cert
  when I validate this chain with utils.ValidateCertChain utility it works:
  > java -cp weblogic.jar utils.ValidateCertChain -jks mykey newkeystore.jks
  Certificate chain appears valid
  But when I exported the 3 certificates (keytool -export) in 3 .pem files, concatenating them
  > cat mycert.pem intca.pem rootca.pem > chain.pem
  and I retry validation
  > java -cp weblogic.jar utils.ValidateCertChain -pem chain.pem
  it doesnt' work:
  Certificate chain is invalid
  How should I concatenate the pem files ?
  Edited by pacionet at 01/23/2008 7:44 AM
  Edited by pacionet at 01/23/2008 7:46 AM

• Error when invoking webservice on https (unable to find valid certification

  I have a webservice which run on https..
  When I made a simple test (jsp) page on my local computer all works fine (jdeveloper 10g) ..
  When I deploy the ear file to remote oc4j and run the test page I get the error:
  javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  My test page is just simple jsp page with some system parameters like this:
  ================
  String dir = request.getRealPath("/cert");
  System.getProperties().put("javax.net.ssl.keyStore", dir + "/adriatic.p12");
  System.getProperties().put("javax.net.ssl.keyStorePassword", "as-p4ss");
  System.getProperties().put("javax.net.ssl.keyStoreType", "PKCS12");
  System.getProperties().put("javax.net.ssl.trustStore", dir + "/service.megapos.si.jks");
  System.getProperties().put("javax.net.ssl.trustStorePassword", "megapos");
  System.getProperties().put("javax.net.ssl.trustStoreType", "JKS");
  ================
  why this works on windows and doesn't work on linux?
  All paths to my certificare and truststore are correct.
  On my local pc (windows) there is a Jdeveloper Oc4j version (10.1.2.0.2) and works fine
  On linux there is a oc4j version 10.1.3.4.0 and doesn't work..
  thank you for any help

  Peter,
  Apparently the linux jdk/jre doesn't have the ability to validate the certificate being used.
  I dunno if [url http://www.java-samples.com/showtutorial.php?tutorialid=210]this might help you?
  John

• I am getting the ssl error when trying to use launchpad on ssl, i can access adminui through ssl with no errors but launchpad says "unable to find valid certification path to requested target"

  Hi I desperately need help  to fix this error. I installed Adobe LCES4 with ssl enabled and i can access the adminui and workspace on the browser but he problem is when i try connecting to launchpad using https on the server even doing the simple thing like converting document to pdf throws the following error.
  any help will be appreciated
  DSC Invocation Resulted in Error: class com.adobe.idp.DocumentError : javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target : javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
  thanks

  We tried adding certificate in trustore.jks file, but it was not successful.
  What error you are getting while importing the certificate?
  Just perform below steps once:
  Download required certificate first
  Run CMD as administrator> move to SUP_HOME\Servers\UnwiredServer\Repository\Security
  Paste this syntex.
  keytool -importcert -alias customerCA -file <certificatefilename>.crt -storepass changeit -keystore truststore.jks -trustcacerts

• PEM or DER Format certificate chain

  I have installe an ISE 1.2.0.899. It is used for Guest Services only, the customer require all its employees be able to access the sponsor portal and validated their credentials using LDAPS. Not LDAP, not AD feature in ISE. The problem is because in order to enable LDAPS I must upload to ISE the root CA certificate, the customer is not providing the root CA certificate for security reasons (?); they said the certificate chain should be enough. Even the ISE user guide indicates root CA or certificate chain. So, the customer downloaded the certificate chain from its PKI (Microsoft 2008) and give it to me, but it is in .p7b (PKCS#7) format (they said there is no choice to select another format). This format is not supported by ISE, so I needed to use third party tools to convert the file (www.sslshopper.com and openssl). It appears the convertion is successfull but when I try to upload on ISE Certificate Store always I get the same errror: "Unable to read certificate file - please be sure file is in PEM or DER format".
  So the questions are:
  1. Is the file provided by the PKI in p7b format always?
  2. What should be the most proper way to convert the file to something the ISE can understand?
  3. Should be the root CA certificate a vey best option?
  Even the conversion problems indicated above, I tried to open and convert the file using the mmc. I know the certificate chain has three files, I recovered them and uploaded to ISE. Whit two of these three files selected on LDAPS security configuration I can run the "Test bind to Server" successfully but everytime an user try with its own credentials always the access is denied with "invalid username or password" error.
  Locking in the ISE log I found this messages:
  ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): error message = SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally",LdapSslConnectionContext.cpp:226
  ERROR,0x2b263618c940,LdapConnectionBindingState::onInput(id = 634): bind ended with an error: 117,LdapConnectionStates.cpp:396
  631,WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=1, Crypto.SSLConnection.pvClientInfoCB - Alert raised: code=0x230=560, where=0x4008=16392, source=local,SSLConnection.cpp:2765
  WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=102, Crypto.SSLConnection.writeData - failed write the data,SSLConnection.cpp:970
  ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): crypto result = 102,LdapSslConnectionContext.cpp:202
  ERROR,0x2b263618c940,cntx=0000005789,user=tmxedscalcan,LdapServer::onAcquireConnectionResponse: failed to acquire connection,LdapServer.cpp:461
  ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::openCdcConnection] Can't open CDC session due to error 32: ADClient is not running,ActiveDirectoryClient.cpp:1328
  ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::connectClient] AD CDC client connection failed!,ActiveDirectoryClient.cpp:117
  ERROR,0x2b263436e940,NIL-CONTEXT,ActiveDirectoryIDStore::performConnection - Connecting client failed,ActiveDirectoryIDStore.cpp:608
  I don't have idea what do they mean.
  Someone told me the convertion made with mmc on my pc was an error and I need to repeat the same process using administrative tools on a server
  I'm really confused and I don't know how continue with a troubleshoot process.
  How can I know the original file is correct?
  How can I know the conversion is correct?
  As the original chain includes three certificates, I should upload them to ISE separately or as one file?
  Attached is the Sponsor policy screenshoot. I have two rules with the same conditions one por AD (just for test), one for LDAPS.
  I will appreciate your help
  Regards.
  Daniel Escalante

  Hi,
  If you open the .p7b file on a Windows machine. (Open not install)
  Go to the Certification Path and click on the root certificate, click View Certificate.
  Now you have the root certificate.
  Go to Details and click Copy to File. This give you the option to exprot the root cert.
  Click next, here you can select to save as Base-64 encoded (DER) that you can import in ISE.
  Click next and save. Then try to import under Server certifiactes on ISE
  You can do this for sub-CA cert in the chain as well.
  HTH