Hi all,

I'm trying to setup client certificate authentication on a Java AS 7.31 SP13.

I followed all the available online manuals, importing keys and certificates, configuring keystore in NWA and also configuring ICM.

Still, in ICM I get the following error:

[Thr 1944] SSL_get_state() returned 0x00001181 "SSLv3 read client certificate B"

[Thr 1944] *** ERROR during SecudeSSL_SessionStart() from SSL_accept()==SSL_ERROR_SSL

[Thr 1944] session uses PSE file "D:\usr\sap\PO1\J00\sec\SAPSSLS.pse"

[Thr 1944] SecudeSSL_SessionStart: SSL_accept() failed --

[Thr 1944] secude_error 9 (0x00000009) = "the verification of the client's certificate chain failed"

[Thr 1944] >> ---------- Begin of Secude-SSL Errorstack ---------- >>

[Thr 1944] ERROR in ssl3_get_client_certificate: (9/0x0009) the verification of the client's certificate chain failed

[Thr 1944] ERROR in af_verify_Certificates: (24/0x0018) Chain of certificates is incomplete

[Thr 1944] ERROR in get_path: (106/0x006a) Can't verify certificate with PKRoot: Is not a CA certificate

[Thr 1944] << ---------- End of Secude-SSL Errorstack ----------

The client certificate that I'm using is self-signed, but I've imported it as Trusted CA and also in the SSL keystores in NWA.

Also, I've updated the profile parameters for ICM:

icm/HTTPS/trust_client_with_subject

icm/HTTPS/trust_client_with_issuer

Not sure what is going on here, in particular I don't understand the "Is not a CA certificate" message.

Sorry if this is some naive question, but I'm pretty new to these topics and any help would be greatly appreciated

Could anyone please assist?

Thanks, regards

Vincenzo