My Oracle Support Banner Can't Verify Cert Error With New CA Certificate With Longer Validity (Doc ID 1945265.1)

Last updated on FEBRUARY 03, 2019

Applies to:

Oracle API Gateway - Version and later
Information in this document applies to any platform.


Some systems use certificates which are signed by a CA which is a subordinate CA of a Group Root CA II, org Group (
OEG has been configured with ROOT CA org Group Root CA II + org-cai (old expiring in 2016), which means that the certificates can be created with 2 years validity in this time.
A new CA certificate from org Group Root CA II to org-cai (new) was obtained; all works fine.

Because some client SSL certificates have to be provided for some business partners for mutual authentication,  the configuration of OEG must be extended by this new certificate CA org-cai.
Therefore, the new CA certificate org-cai has been added to cacerts and to OEG configuration.

This causes the SSL authentication to stop working.

The following is output seen in the trace:



To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!

In this Document

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.