Missing certificates
Identifying missing certificates.
Sometimes the CA hierarchy described in the server certificate is incomplete or needs another certificate (default ones used by browsers or private ones).
WS-DEBUG (Security error)
Error with certificate at depth: 3
issuer = /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
subject = /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
err 19:self signed certificate in certificate chain
WS-DEBUG END
This means OpenSSL is looking for a third ancestor that is not listed in the hierarchy above. In this example, gatewaybeta.fedex.com only has two ancestors, and none are named "Class 3 Public Primary Certification Authority". You need to download the root certificates from VeriSign and add "Class 3 Public Primary Certification Authority" in your CA list.
If the certificate authorities are not found in the operating system keystore, you need to download them:
- If you store the CA certificates in $FGLDIR/web_utilities/certs directory, ensure they are named with the .crt extension.
-
If you have configured the FGLPROFILE file using the global certificate authority list entry
security.global.ca
, you need to create the CA list with the .pem extension.The Firefox® browser allows you to download the CA list as a pem file; a PEM (cert) or PEM (chain). Use the PEM (chain) file in this case. Otherwise, you will need to download the certs individually and create the pem chain file as described in Create a certificate authority list.