Failing to access IDR Web resources with certificate chain not verified symptoms
Article Number
Issue
Caused by: javax.net.ssl.SSLException: Certificate not verified. at com.rsa.sslj.x.aI.b(Unknown Source) at com.rsa.sslj.x.aI.a(Unknown Source) at com.rsa.sslj.x.aI.a(Unknown Source) at com.rsa.sslj.x.aK.unwrap(Unknown Source) at io.netty.handler.ssl.SslHandler$SslEngineType$3.unwrap(SslHandler.java:282) at io.netty.handler.ssl.SslHandler.unwrap(SslHandler.java:1372) at io.netty.handler.ssl.SslHandler.decodeJdkCompatible(SslHandler.java:1267) ... 33 more Caused by: com.rsa.sslj.x.aL: Certificate not verified. at com.rsa.sslj.x.bm.a(Unknown Source) at com.rsa.sslj.x.bm.a(Unknown Source) at com.rsa.sslj.x.bm.a(Unknown Source) ... 39 more Caused by: java.security.cert.CertificateException: the certificate chain is not trusted, Could not validate path. at com.rsa.sslj.x.cq.a(Unknown Source) at com.rsa.sslj.x.cq.checkServerTrusted(Unknown Source) at com.rsa.sslj.x.cq.checkServerTrusted(Unknown Source) at com.rsa.sslj.x.aF.a(Unknown Source)
Cause
IDR v2.17 uses mod_ssl which relies on Admin to upload the certificate chain in ordered manner in Admin console -> Company Settings page.
If the uploaded chain is not ordered properly from leaf issuer to desired issue or upto root certificate authority, the clients having strict validation will fail to establish SSL connection, leading to inaccessible web resource.
Resolution
1. To find if the order is wrong, please access IDR Portal or setup page or use openssl s_client connect tool. Verify the certificate chain returned is ordered properly.
2. If not so, reorder the chain in any text editor. Starts with the issuing CA certificate of the server certificate and keep appending its issuer till desired intermediate issuer or you reach upto the root CA certificate.
3. Upload it in Admin console and Publish.
4. After publishing re-verify the cert chain by following step#1.
Workaround
Related Articles
RSA Identity Governance and Lifecycle 7.0.1 HTML source edit doesn't work with workflow email node Number of Views Exporting a set of One Time Tokencodes from RSA Authentication Manager Self-service Console Number of Views RSA Identity Governance & Lifecycle aveksa.ear deployment takes a long time to complete Number of Views updateReviewItems web service fails to update review items when the UserID is the same for two users in RSA Identity Gover… Number of Views 'System SSL: SHA-512 crypto assist is not available' is displayed on mainframe Number of Views
Trending Articles
How to recover the Application and AFX after an unexpected database failure in RSA Identity Governance & Lifecycle Troubleshooting AFX Connector issues in RSA Identity Governance & Lifecycle RSA MFA Agent 2.3.6 for Microsoft Windows Installation and Administration Guide RSA Release Notes for RSA Authentication Manager 8.8 RSA Authentication Manager 8.9 Release Notes (January 2026)
Don't see what you're looking for?
