Troubleshooting Server Certificate Setup

Refer to these troubleshooting steps if you changed the server certificate used by the Web Transfer or User Manager server.

After any changes you make to server certificate setup, always perform both of the following before retesting:

  1. Close all browser windows.
  2. Restart the server whose certificate you are configuring. See Start and Stop the Web Transfer Server and Start and Stop the User Manager Server.

Error messages shown below are from the console.yyyymmdd.log file.

Certificate warning still appears

  • Did you close all browser windows and restart the server before retesting?
  • Does the server name in the URL you are using match the server name(s) in the certificate?

Browser cannot display the web page

  • Did you specify the correct password for servletengine.ssl.keystorepassword?

    In the log file, look for: " Keystore was tampered with, or password was incorrect"

  • Is the keystore or PKCS#12 file in the location specified for servletengine.ssl.keystore?

    In the log file, look for: " <path> (The system cannot find the file specified)"

  • If you generated a JKS from a PKCS#12 file, did you use the same password?

    In the log file, look for: " Given final block not properly padded"

  • Is your PKCS#12 file encrypted with a FIPS-approved algorithm? Note that OpenSSL and the Windows Certificate Manager do not currently encrypt the certificate using strong algorithms by default. PBE-SHA1-3DES is the only approved algorithm currently available. If you see the following log file error, either re-encrypt your file or import it into a Java keystore.

    In the log file, look for: " Could not decrypt data"

Login is successful, but error messages appear in the log file

  • The message " Fatal Alert received: Bad Certificate" appears repeatedly in the server and console log files.

    This exception is most likely to occur after User Manager has been configured with a different certificate and before the Web Transfer Server has been updated to trust that certificate. To resolve this issue, from the Reflection for Secure IT console, go to the Web Edition Users pane and click Activate and verify.