Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Peer Certificate Rejected by Chain Verifier

Former Member

‎07-17-2009 1:15 PM

0 Kudos

Hi,

I have a Source PI talking to a target PI through SOAP adapter. Its a secured communication using HTTPs.

SSL is enabled on both the sides with VCLIENT set to 2.

I am using self -signed certificates on both the sides and they are kept in ICM_SSL_<instance no> keystore veiw.

When i execute my scenario, it fails in SOAP receiver channel on source PI side with the below error.

Delivering the message to the application using connection SOAP_http://sap.com/xi/XI/System failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: iaik.security.ssl.SSLCertificateException: Peer certificate rejected by ChainVerifier.

I have also tried copying the public certificate target PI server in Trusted CAs of source PI and vice versa, but this also didnt help.

Is it that we cannot use self-signed cerificate for SSL communication or is there any other configuratin required for this.

A quick help will be highly appreciated.

Thanks,

Deepika

Edited by: Deepika Kejriwal on Jul 17, 2009 2:16 PM

2 REPLIES 2

WolfgangJanzen
Product and Topic Expert
Product and Topic Expert

‎07-17-2009 5:55 PM

0 Kudos

> 

> I have a Source PI talking to a target PI through SOAP adapter. Its a secured communication using HTTPs.
> I am using self -signed certificates on both the sides.
> When i execute my scenario, it fails in SOAP receiver channel on source PI side with the below error.
>
> Is it that we cannot use self-signed cerificate for SSL communication.

According to your description, "peer" refers to the SSL client (since the error is reported by the receiver / SSL server).

Well, normally X.509 client certificates are issued by a CA (and thus not self-signed). And usually, you import the CA root certificate into the "Trusted CA" keystore (view).

Technically, a "root certificate" is also a self-signed certificate.

So, what makes the difference?

Well, for "Version 1" (V1) certificates there is no difference (exactly speaking: one cannot tell the difference).

But for "Version 3" (V3) certificates, the peer can differentiate between the two - based on the "extended attributes" (here: "Is allowed to act as CA" denotes a CA Root Certificate).

Former Member
In response to WolfgangJanzen

‎09-01-2009 11:22 PM

0 Kudos

Ok I have a similar problem. I stalled the certificates in the Trusted CA in NWA. Funny that this is working in my dev box, but not in my QA box.

Any help is apreciated.

Phil