Receiving a "Certificate for <HostName.mycompany.com/xxx.xxx.xxx.xx> is not trusted or bad certificate" in the Secure Proxy Server/Agent for SharePoint Trace File.
R12.52 SP1 Single Sign-On (fka SiteMinder) Access Control Gateway (fka Secure Proxy Server)
R12.52 SP1 Single Sign-On Agent for SharePoint 2010/2013
The "Certificate for <HostName.mycompany.com/xxx.xxx.xxx.xx> is not trusted or bad certificate" logged in the Agent trace file is a generic error message resulting from the failure to establish the SSL connection from the Secure Proxy Server or Agent for SharePoint to the back-end SSL enabled Server.
Following are the most common issues that would result in this error;
1.) The back-end Server Certificate presented is bad.
2.) The RootCA Certificate(s) that signed the back-end Server Certificate is/are not in the ca-bundle.cert file to allow the SPS/Agent for SharePoint to Trust the certificate presented.
3.) There is an SSL Protocol mis-match between the SPS/Agent for SharePoint and the back-end SSL enabled Server.
4.) There is an SSL Cipher mis-match between the SPS/Agent for SharePoint and the back-end SSL enabled Server.
5.) The back-end Server Certificate is SHA2, and the Java Cryptography Extensions (JCE) patch has not been applied to the runtime version of Java.
1.) Obtain a valid non-expired certificate and configure the environment appropriately to utilize the new certificate.
2.) Using a text editor copy the base64 PEM encoded certificate for the RootCA certificate and all intermediary certificates in the certificate chain that signed the back-end Server Certificate into the "ca-bundle.cert" file.
------ BEGIN CERTIFICATE ------
------ END CERTIFICATE ------
3.) Verify the Protocol (versions) defined in the "<sslparams>" section configured in the Server.conf file match a supported Protocol for the back-end Server.
For the R12.52 SP1 thru R12.52 SP1 CR-02 Agents, only the "SSLv3" and "TLSv1" Protocols are supported.
The R12.52 SP1 CR-04 Agents support "TLSv1", "TLSv1.1", and "TLSv1.2".
4.) The Agents provide a default list of Ciphers in the "<sslparams>" section configured in the Server.conf file. Modify this list of ciphers to remove or add any required ciphers to match your security needs. Verify that the back-end Server has a matching cipher.
5.) Obtain the Java Cryptography Extensions Unlimited Strength Jurisdiction Policy patch from your Java vendor and apply the patch to the runtime Java.