Peer certificate rejected by ChainVerifier

Peer certificate rejected by ChainVerifier

Scenario

In a scenario with a SSL encrypted (HTTPS) SOAP target URL in the SOAP receiver channel, the message goes into an error state.

Error

The following error is shown in Message Log in PIMON:

SOAP: Call failed: java.io.IOException: Failed to get the input stream from socket: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier

Solution

The SSL certificate needs to be imported into PIs keystore.

Download the certificate from the target server
  1. Open the Target URL in Chrome (or any other Browser)
  2. Open the developer tools by clicking on the three dots -> More Tools -> Developer Tools (Shortcut STRG + SHIFT + I)

    Chrome: Open developer tools
    Chrome: Open developer tools
  3. Go to the “Security” Tab and click on “View certificate”
  4. Go to the Details Tab and click on “Copy to file” button
  5. Click on the “Next” button and select “DER-codet-binary X.509 (.CER)”

    Download Certificate
    Download Certificate
  6. Click on “Next” button and select a destination on you local PC
Import certificate into keystore
  1. Open the Netweaver Administrator (http://your.pi:port/nwa)
  2. Go to Configuration -> Security -> Certificates and Keys
  3. Select the “Trusted CAs” View and click on “Import Entry”
  4. Select entry type “X.509 Certificate”, enter the path to the certificate you downloaded before and click on “Import”

    Certificates and Keys: Import entry
    Certificates and Keys: Import entry
  5. Resend your message

If your error is not resolved, open the certificate again and click on certification path. Afterwards, double click the first and second certificate (one after each other), save them and also import them into the TrustedCAx view.

Leave a Reply

Your email address will not be published. Required fields are marked *