Peer certificate rejected by ChainVerifier

Scenario

In a scenario with a SSL encrypted (HTTPS) SOAP target URL in the SOAP receiver channel, the message goes into an error state.

Error

The following error is shown in Message Log in PIMON:

SOAP: Call failed: java.io.IOException: Failed to get the input stream from socket: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Solution

The SSL certificate needs to be imported into PIs keystore.

Download the certificate from the target server

1. Open the Target URL in Chrome (or any other Browser)
2. Open the developer tools by clicking on the three dots -> More Tools -> Developer Tools (Shortcut STRG + SHIFT + I)

   

3. Go to the “Security” Tab and click on “View certificate”
4. Go to the Details Tab and click on “Copy to file” button
5. Click on the “Next” button and select “DER-codet-binary X.509 (.CER)”

   

6. Click on “Next” button and select a destination on you local PC

Import certificate into keystore

1. Open the Netweaver Administrator (http://your.pi:port/nwa)
2. Go to Configuration -> Security -> Certificates and Keys
3. Select the “Trusted CAs” View and click on “Import Entry”
4. Select entry type “X.509 Certificate”, enter the path to the certificate you downloaded before and click on “Import”

   

5. Resend your message

If your error is not resolved, open the certificate again and click on certification path. Afterwards, double click the first and second certificate (one after each other), save them and also import them into the TrustedCAx view.