Certificate chain broken: not linked properly

hello Everyone,

We have just moved from Verisign CA to Entrust and I got this issue after my first cert renewal from Entrust CA. Below is the scenario of what I am facing :

  1. Got renewed server cert, Intermediate cert and CA root cert from Entrust site
  2. Placed and installed all cert on Webmethod window server
  3. COnfigured Outbound SSL and Ports connecting to DMZ servers with renewed Cert and CA signed cert names

After performing all these steps, I am getting below errors,

2014-05-25 13:52:33 CDT [ISC.0006.0004D] Error in SSL setup: [ISC.0009.9001] Certificate chain broken: not linked properly
2014-05-25 13:52:33 CDT [ISP.0046.0019C] Unable to establish connection to the Reverse Gateway server 167.209.215.16:6464, Exception --> Server certificate rejected by ChainVerifier.

Here 167.209.215.16:6464 is my DMZ and internal Registration port 6464. I cross verified my Server/Chain and root cert. Not getting clue what went wrong. Please suggest on this asap

Regards
AKS

Hi Anuj,

As per Error guide explanation:

ISC.0009.9001E – Certificate chain broken: not linked properly
Explanation: The certificate chain is out of order.
Action: Obtain a valid certificate chain.

What is your format of certificate [Make sure your CA issues you a complete cert with its intermediate certificates too]?

Try exporting it to IE and check the certificate chain.

HTH.

Thanks,
Rankesh

Do you have all the certificates in the chain? The Issuer CN in the lowest certificate should be Subject CN in the next level … till the CA Root certificate which will be self issued.

Also i think webMethods IS accepts only .DER certifcates when used in chain.

Hello Rankesh and DC,

Yes I have already complete cert chain installed on my server in proper and correct order. The issue has been resolved however.

ISSUE: The Certificate page for DMZ server had old server cert mapped with Verisign CA . Since the Internal registration port 6464 had “Request for Certificate” settings. It was picking old cert.

SOLUTION: Mapped new cert with Valid user.

Thanks everyone for your help

which version of WM IS are you running?
for newer ones, you need to load the whole chain into the *.jks key store file .
I guess you don’t have the whole chain in it.