I was fighting with the right way to add a recent Verisign certificate to a keystore for the IBM HTTP Server (IHS). I have used the ikeyman utility on Solaris.
The problem indicator was the error message “SSL0208E: SSL Handshake Failed, Certificate validation error” in the SSL log of IHS.
The IBM websites where not really helpful to track down the problem (the missing stuff). The Verisign instructions did not lead to a working solution either.
What was done before: the Verisign Intermediate Certificates where imported as “Signer Certificates”, and the certificate for the webserver was imported within “Personal Certificates”. Without the signer certificates the personal certificate would not import due to an intermediate certificated missing (no valid trust-chain).
What I did to resolve the problem:
- I removed all Verisign certificates.
- I added the Verisign Root Certificate and the Verisign Intermediate Certificate A as a signer certificate (use the “Add” button). I also tried to add the Verisign Intermediate Certificate B, but it complained that some part of it was already there as part of the Intermediate Certificate A. I skipped this part.
- Then I converted the server certificate and key to a PKS12 file via “openssl pkcs12 ‑export ‑in server-cert.arm ‑out cert-for-ihs.p12 ‑inkey server-key.arm ‑name name_for_cert_in_ihs”.
- After that I imported the cert-for-ihs.p12 as a “Personal Certificate”. The import dialog offers 3 items to import. I selected the “name_for_cert_in_ihs” and the one containing “cn=verisign class 3 public primary certification authority – g5” (when I selected the 3rd one too, it complained that a part of it was already imported with a different name).
With this modified keystore in place, I just had to select the certificate via “SSLServerCert name_for_cert_in_ihs” in the IHS config and the problem was fixed.