search cancel

SPS is saying that the certificate is not valid even though the cert and CA chain are imported into the cert store


Article ID: 112569


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On


With SPS version 12.52 SP1 CR8. Certificate and CA chain has been added to the Certificate store.

[06/21/2018][15:19:23][2128][2152][104c864e-a2cca534-12022830-dbb2dd02-145229f5-231][execute][Sending request to backend = url =]
[06/21/2018][15:19:23][2128][2152][104c864e-a2cca534-12022830-dbb2dd02-145229f5-231][requestConnection(): ][Get connection: HttpRoute[{s}->], timeout = 180000]
[06/21/2018][15:19:23][2128][2152][104c864e-a2cca534-12022830-dbb2dd02-145229f5-231][openConnection()][Connecting to]
[06/21/2018][15:19:23][2128][2152][104c864e-a2cca534-12022830-dbb2dd02-145229f5-231][releaseConnection(): ][Released connection is not reusable.]
[06/21/2018][15:19:23][2128][2152][104c864e-a2cca534-12022830-dbb2dd02-145229f5-231][execute][Certificate for is not trusted or bad certificate]


12.52 SP1 CR8


Even though the Certificate and CA chain are added to the Certificate store for SPS, the Proxy Engine is limited to communicating with TLSv1.0. The TLSv1.1 and TLSv1.2 need to specifically be listed in the versions parameter in the server.conf file.


In the Server.conf file in the proxy-engine/conf/ folder you will need to find the tag named <sslparams>. There is a property named versions. Its current value is "TLSV1" You will need to change it to be "TLSV1,TLSv1.1,TLSv1.2"

Restart the SPS Proxy Engine Service and you should be able to connect to the TLSv1.2 HTTP server being proxied to.