When the Full Certificate Chain Is Not Returned During an Automatic Import of the Trusted Root

Access Manager allows you to automatically import the trusted root under the following conditions:

  • When enabling SSL communication between Access Gateway and the web server, you can automatically import the root CA from the web server.

  • When setting up the user stores for Identity Server and adding the server replicas, you can automatically import the root CA of the LDAP server.

If there are multiple certificates in the chain, sometimes the server does not send all the certificates in the chain. When this happens, the following message is displayed:

The root CA certificate was not returned by the server. It might be necessary
to manually import the root CA certificate and possible intermediate CA
certificates in order to complete the chain.

To correct this problem, you need to manually import the missing entries. The easiest method to obtain all the certificates in the chain, including the root CA, is to import the server certificate into Internet Explorer, then export the chain and import it into Access Manager. If Access Manager already has some of the certificates, it skips their import and imports only the missing certificates.

For instructions on this process, see Using Internet Explorer to Add a Trusted Root Chain.