Why do we see message "Chain is Incomplete" when we issue a CHKCERT CHAIN command under ACF2 R16?
We did not see this message on ACF2 r15.
At the end of the CHKCERT output is the following summary
Chain Information: Chain contains 2 certificates Chain is INCOMPLETE Chain contains common ring - XXXXX.RING
ACF2 R16 apar RO95082 increased the validation of certificate chaining.
Part of the process was to check that each certauth being used to sign certificates in the chain
had validity dates that would encompass the validity of the signed certificate.
There are 3 certificates in a chain of certauth certificates that sign a user certificate.
The root certauth certificate has validity dates of:
Not valid before: 2006/11/27 20:23:42 UTC
Not valid after: 2026/11/27 20:53:42 UTC
It signs an intermediate certificate with validity dates of:
Not valid before: 2014/09/22 17:14:57 UTC
Not valid after: 2024/09/23 01:31:53 UTC
This intermediate certificate signs another certauth with validity dates of
Not valid before: 2014/10/22 17:05:14 UTC
Not valid after: 2024/10/23 07:33:22 UTC
As can be seen, the validity of the second certificate does not cover the full
validity period of the third certificate.
CERT2 expires on September 23 2024
CERT3 expires on October 23 2024
Therefore the CHKCERT CHAIN command will only show CERT 3 as being a part of the chain.
The other two certificates will not be included in the chain.
Note: This will not stop the full validation of the certificates during an SSL check – as long as all three
Certificates have the TRUST status.