Ask a Question

Solution ID : SO20827

Last Modified : 05/02/2018

Error: "SSL Handshake Failed, Certificate validation" error occurs on IBM HTTP server

Problem

The following errors may appear in the error log of an IBM HTTP server:

SSL Handshake Failed, Certificate validation error.
SSL208E: SSL Handshake Failed, Certificate validation error.

Cause

The installed SSL certificate failed one of the validation checks. This occurs if the Intermediate CA and/or Root CA has not been installed.

Solution

To resolve this issue on IBM HTTP server, perform the following steps:


Open the Key Database File

  1. Start Key Management Utility
  2. From the top menu, click Key Database File
  3. Select Open
  4. Change Key database type to CMS
  5. Click Browse
  6. Locate the Key database file (.kdb)
  7. Click Open > click OK
  8. Enter the password > click OK
     

Install Intermediate CA

Note: To download your Intermediate certificate, refer to article AR1548. Save your intermediate certificates as primary.cer.

  1. In the Key database content section drop down list, select Signer Certificates
  2. Click Add
  3. Select the Data type as Base64-encoded ASCII data
  4. Click Browse
  5. Locate the Intermediate CA certificate: primary.cer
  6. Click Open > click  OK
  7. Enter a label for the certificate: PrimaryCA
    Note: Make sure each Signer Certificate has a unique label name
     

Install Root CA

Obtain Geotrust Global CA from:  SO5761

Alternately it is as below:

Issued to: Geotrust Global CA
Issued by: Geotrust Global CA
Valid from: Valid from 5/20/2002 to 5/20/2022
Serial Number: ‎02 34 56

  1. Copy the contents in the box below (including the -----BEGIN----- AND -----END----- lines)
  2. Paste the copied contents into a plain text editor such as Notepad or Vi
  3. Save the file
-----BEGIN CERTIFICATE-----
MIIDVDCCAjygAwIBAgIDAjRWMA0GCSqGSIb3DQEBBQUAMEIxCzAJBgNVBAYTAlVT
MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
YWwgQ0EwHhcNMDIwNTIxMDQwMDAwWhcNMjIwNTIxMDQwMDAwWjBCMQswCQYDVQQG
EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSR2VvVHJ1c3Qg
R2xvYmFsIENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD9
9BcjGlZ+W988bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdq
fnGk5sRgprDvgOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDv
iS2Aelet8u5fa9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU
1XupGc1V3sjs0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+
bw8HHa8sHo9gOeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoW
MPRfwCvocWvk+QIDAQABo1MwUTAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBTA
ephojYn7qwVkDBF9qn1luMrMTjAfBgNVHSMEGDAWgBTAephojYn7qwVkDBF9qn1l
uMrMTjANBgkqhkiG9w0BAQUFAAOCAQEANeMpauUvXVSOKVCUn5kaFOSPeCpilKIn
Z57QzxpeR+nBsqTP3UEaBU6bS+5Kb1VSsyShNwrrZHYqLizz/Tt1kL/6cdjHPTfS
tQWVYrmm3ok9Nns4d0iXrKYgjy6myQzCsplFAMfOEVEiIuCl6rYVSAlk6l5PdPcF
PseKUgzbFbS9bZvlxrFUaKnjaZC2mqUPuLk/IH2uSrW4nOQdtqvmlKXBx4Ot2/Un
hw4EbNX/3aBd7YdStysVAq45pmp06drE57xNNB6pXE0zX5IJL4hmXXeXxx12E6nV
5fEWCRE11azbJHFwLJhWC9kXtNHjUStedejV0NxPNO3CBWaAocvmMw==
-----END CERTIFICATE-----

 

Note: The installation of the Root CA may not be required if the Root is pre-configured as a Signer Certificate

  1. In the Key database content section drop down list, select Signer Certificates
  2. Click Add
  3. Select the Data type as Base64-encoded ASCII data
  4. Click Browse
  5. Locate the Intermediate CA certificate: rootca.cer
  6. Click Open > click  OK
  7. Enter a label for the certificate: RootCA

    Note: Make sure each Signer Certificate has a unique label name