Missing certificates

Identifying missing certificates.

Sometimes the CA hierarchy described in the server certificate is incomplete or needs another certificate (default ones used by browsers or private ones).

Figure: Certificate Viewer in Firefox Web Browser; Details Tab

Screen shot of server certificate with incomplete hierarchy
When this occurs, you will get this kind of error message when you set FGLWSDEBUG:
WS-DEBUG (Security error)
Error with certificate at depth: 3
 issuer = /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 subject = /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 err 19:self signed certificate in certificate chain

This means OpenSSL is looking for a third ancestor that is not listed in the hierarchy above. In this example, gatewaybeta.fedex.com only has two ancestors, and none are named "Class 3 Public Primary Certification Authority". You need to download the root certificates from VeriSign and add "Class 3 Public Primary Certification Authority" in your CA list.

If the certificate authorities are not found in the operating system keystore, you need to download them and place them in $FGLDIR/web_utilities/certs. Make sure to name them with extension .crt.