ISC.OOO9.9002 : Error in certificate chain

Hi there,

I have an error when uploading certificate in TN partner. Here is the situation:

For Unit and Integration test, we simulate TN Partners (A supplier and our company), that means we launch reception of document by launching a test service with Developer. We are in 7.1.1 Release. And we create selfsign certificat with openssl on Windows 2003 Server 64bits. We use AS2 protocol.

First we create our Certificate Authority with this procedure :
- openssl genrsa -out caPrivKey.pem 1024
- openssl req -new -key caPrivKey.pem -out caRequest.pem
- openssl ca -keyfile caPrivKey.pem -out caCertificate.pem -selfsign -infiles caRequest.pem

Secondly, we’ll get private key and certificate for the server:
- openssl genrsa -out testKey.pem 1024
- openssl req -new -key testKey.pem -out testKeyRq.pem
- openssl ca -keyfile caPrivKey.pem -cert caCertificate.pem -out testKeyCert.pem -infiles testKeyRq.pem

Third, we transform .pem in .der format :
- certificats : openssl x509 -in cert.pem -out cert.der -outform DER
- Keys : openssl rsa -in userkey.pem -out userkey.der -outform DER

We tested the CA certificate by installing it in server side. That’s work.

On MWS, we create the test partner. On certificats tab, I do :
1 / put the CA certificate in “sign/verify” : Ok
2/ put the key in Encrypt/decrypt : Ok
3/ put the certificate in Encrypt/decrypt : KO, we raised the error

Entrust cannot verify the certificate chain:
[ISC.0009.9002] Error in certificate chain

Tell me if you need some more information. We investigated but without success …

Many Thanks,

Hmmm - here’s my best guess.

If you are self-signed, you need to tell the underlying IS for your TN instance to trust your CA key.

Put your caCertificate.der in your trusted certificates directory (location of the directory configurable via IS Administrator Security -> Certificates.)

Let me know if this does the trick.

Hi PhilLeary !

Thanks for the tips, I’ll will try it.
Nut a little question on this administrative screen : when I’ll upload the caCertificate.der, which Usage I have to put ? I think “Verify” but I’m not sure … I’m not very familiar with Certificats and AS2 protocol.

Thanks,

Best Regards,
Vincent

Hello Vincent,

Even I have the same requriement as you have. Can you tell me how did you configure the TN to use HTTPS URL.

Hi Johnrose,

Actually I don’t use HTTPS connection but HTTP connection (in AS2 protocol). So in this case, open the Partner (example your Supplier) , go in “delivery settings” tab and “Add delivery Method”.

In my case I chose Primary HTTP and only filled “Host”, “Port” and “Location”.

For my “company partner”, it is the same thing :wink:

Just another note : for each “external ID” tab (Supplier and MyCompany) I put one “EDIINT AS2” ID type and one or more “user Defined 1” ID Type.

Anyway it’s working on my DEV and TEST Environment (Simulation of exchange and real exchange) but not in my SIMULATIOn Environement :frowning: (It is why I opened this thread).

I hope these information will help you.

Regards,
Vincent

Hi everyone,

we resolved the problem.
We created Certificates and Keys as defined before with OpenSSL.

When defined security in Partner, we have to upload Key, CA and certificates on the same action and click the “Ok” button only at the end.

Before we upload Key, and click ok , CA certificat and click ok and also the certificate and click ok. It was not good. Just “upload” everything on the same time and after click OK.

Regards,
Vincent

Hi ,

Please let me know the link or the location from where i can create the self signed certificates using OpenSSl.

My Client has to post XML files to a HTTPS location. I have designed it this way.

  1. Create Enterprise Profile. (My Company)
  2. Partner Profile (My Client)
  3. Document type.
  4. Processing Rule

now the issue is, which URL should I give my Client so that he can post the data to that HTTPS location?

Any help is appreciated.

Thanks.
Johnrose.

Setup a default https port (443) in the Security/Ports via IS Administrator and install certificates in the partner profile Security tab.

URL would be: (assuming you are using TN)
https://IS server:443/invoke/wm.tn/receive

Before giving url to your TP test post XML to TN.

HTH,
RMG