Hello,

we are getting the infamous certificate chain error when making an HTTPS call from an RFC destination type G:

[Thr 1079023936] ERROR in ssl3_get_server_certificate: (9/0x0009) the verification of the server's certificate chain failed

ERROR in af_verify_Certificates: (27/0x001b) Chain of certificates is incomplete : "CN=210.60.170.10, OU=XYZ, O=XYZ, C=DE"

ERROR in get_path: (27/0x001b) Found root certificate of <CN=210.60.170.10, OU=XYZ, O=XYZ, C=DE> which does not fit the give

ERROR in verify_with_PKs: (27/0x001b) Found root certificate of <CN=210.60.170.10, OU=XYZ, O=XYZ, C=DE> which does not fit the given PKRoot

(CN-IP and OU,O changed manually here in the thread for security reasons)

I know that we have to make the server certificate known to STRUST. Problems with this certificate:

- it contains an IP adress, not a hostname

- it is a self-signed certificate, without trusted Root CA

The provider does not have a full valid certificate with Root CA (strange, but that is the fact).

Question: does anybody know if we can make XI work with such a certificate ? Could we issue a certificate request to a CA authority and then add the response to STRUST ? But even with that, when we make the HTTPS call and receive the server cert, we will receive a server cert without valid root CA ! Can we configure in XI STRUST to accept this cert also as root CA ?? I tried many things, e.g. added the cert to the SSL Server PSE, but nothing helped (always restarted ICM)

Or can we configure XI to bypass that server cert check ? I think the Business Connector does that, because we are moving from BC to XI, and on BC it works fine without the server cert.

CSY