Missing certificates

Sometimes the CA hierarchy described in the server certificate is incomplete or needs another certificate (default ones use by browsers or private ones).


Screen shot of server certificate with incomplete hierarchy

Figure 1. Certificate Viewer; Details Tab

When this occurs, you will have this kind of error message when you set FGLWSDEBUG:
WS-DEBUG (Security error)
Error with certificate at depth: 3
 issuer = /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 subject = /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 err 19:self signed certificate in certificate chain
WS-DEBUG END

This means openssl is looking for a third ancestor that is not listed in the hierarchy above. In this example, gatewaybeta.fedex.com only has two ancestors, and none are named "Class 3 Public Primary Certification Authority". You need to download the root certificates from VeriSign and add "Class 3 Public Primary Certification Authority" in your CA list.