Note: In this article, "SSL" is used to refer to both SSL & TLS.
SOAPam Client includes an SSL certificates file, CAROOT, which contains certificates for current trusted root Certificates Authorities (CA). When SOAPAMCP connects to a web service using an SSL connection, it verifies the server certificate using the certificates in the CAROOT file. If the server certificate cannot be verified using the certificates in the CAROOT file, the connection will fail with an SSL certificate chain verification error. This may occur because:
- The CAROOT file is out of date and does not contain current entries for the server certificate issuer.
- The server certificate was issued by a private CA.
If the server certificate was issued by a private CA, the necessary certificates must be supplied in a local certificates file and the location of the file must be supplied to the SOAPAMCP process using the -sslcalocalfile option.
Creating the Local Certificates File
The local certificates file is a NonStop EDIT file (code 101) that contains one or more X509 certificates in PEM format. PEM format certificates contains a header line, the base64 encoded certificate, and a footer line, for example:
-----BEGIN CERTIFICATE----- ... base64 encoded certificate ... -----END CERTIFICATE-----
When the server certificate is issued by the private CA, the certificate delivery should include the certificates of any Root and Intermediate Certificate Authorities required to verify the server certificate. The certificates create a chain of trust linking the issuers of each certificate from the server certificate to the private Root CA. In this example, the Server Certificate was issued by an Intermediate CA, and the Intermediate CA certificate was issued by the Root CA.
The local certificates file must contain the Root CA certificate and any Intermediate CA certificates in the chain.
To create the local certificates file, create an EDIT file that contains the certificates provided by your private CA. Note that the certificates must be in the file in same order as the chain of trust. You may also include comment lines in the file preceded by the '#' symbol, for example:
# Let's Encrypt Authority X3 intermediate CA -----BEGIN CERTIFICATE----- ... Intermediate CA certificate ... -----END CERTIFICATE----- # DST Root CA X3 root CA -----BEGIN CERTIFICATE----- ... Root CA certificate ... -----END CERTIFICATE-----
The certificates must be copied into the file exactly as provided by the private CA, with no modification to the headers, footers, or base64 encoded data. For convenience you may prepare the local certificates file using a desktop editor and transfer the file to the NonStop. Make sure the file is transferred using text mode so that it is created as a NonStop EDIT file.