Why is there a "Chain is Incomplete" message when issuing a CHKCERT CHAIN command under ACF2?
This message was not seen for the same certificate chain on ACF2 R15.
At the end of the CHKCERT output is the following summary
Chain Information: Chain contains 2 certificates Chain is INCOMPLETE Chain contains common ring - XXXXX.RING
Release: ACF2 R16
Component:
ACF2 R16 PTF RO95082 increased the validation of certificate chaining.
Part of the process is to check that each CERTAUTH being used to sign certificates in the chain has validity dates that would encompass the validity of the signed certificate.
Example:
There are 3 certificates in a chain of CERTAUTH certificates that sign a user certificate.
The root CERTAUTH certificate has validity dates of:
Not valid before: 2006/11/27 20:23:42 UTC
Not valid after: 2026/11/27 20:53:42 UTC
It signs an intermediate certificate with validity dates of:
Not valid before: 2014/09/22 17:14:57 UTC
Not valid after: 2024/09/23 01:31:53 UTC
This intermediate certificate signs another CERTAUTH with validity dates of
Not valid before: 2014/10/22 17:05:14 UTC
Not valid after: 2025/10/23 07:33:22 UTC
As can be seen, the validity of the second certificate does not cover the full
validity period of the third certificate.
CERT2 expires on September 23 2024
CERT3 expires on October 23 2025
Therefore the CHKCERT CHAIN command will only show CERT 3 as being a part of the chain.
The other two certificates will not be included in the chain.
Note: This will not stop the full validation of the certificates during an SSL check – as long as all certificates have the TRUST status and are not expired. A CHKCERT CHAIN performed on a PKCS#12 package does not go through this validation, so the chain will be complete when performing a CHKCERT CHAIN against a DSN.