If you receive the following error in your WebSphere plugin log, you might have a misconfiguration within your SSL key and trust store setup.
[Thu Sep 08 13:48:31 2022] 00003dfc 00001aa8 – ERROR: lib_stream: openStream: Failed in r_gsk_secure_soc_init to p8ce.timetodemo.local:9443 : GSK_ERROR_BAD_CERT(gsk rc = 414) PARTNER CERTIFICATE: DN=[CN=p8ce.timetodemo.local,OU=Root Certificate,OU=p8ceNode01Cell,OU=p8ceNode01,O=IBM,C=US], Serial=[04:9b:6e:56:6b:2e:85]
[Thu Sep 08 13:48:31 2022] 00003dfc 00001aa8 – ERROR: Missing, invalid, or expired certificate in certificate chain for server p8ce.timetodemo.local:9443 GSKVAL_ERROR_NO_CHAIN_BUILT (575010)
[Thu Sep 08 13:48:31 2022] 00003dfc 00001aa8 – ERROR: Subject [[Class=]GSKVALMethod::X509[Issuer=]CN=p8ce.timetodemo.local,OU=Root Certificate,OU=p8ceNode01Cell,OU=p8ceNode01,O=IBM,C=US[#=]049b6e566b2e85[Subject=]CN=p8ce.timetodemo.local,OU=Root Certificate,OU=p8ceNode01Cell,OU=p8ceNode01,O=IBM,C=US[Class=]GSKVALMethod::PKIX[Issuer=]CN=p8ce.timetodemo.local,OU=Root Certificate,OU=p8ceNode01Cell,OU=p8ceNode01,O=IBM,C=US[#=]049b6e566b2e85[Subject=]CN=p8ce.timetodemo.local,OU=Root Certificate,OU=p8ceNode01Cell,OU=p8ceNode01,O=IBM,C=US] failed certificate validation
[Thu Sep 08 13:48:31 2022] 00003dfc 00001aa8 – ERROR: X509 Certificate validation log: [[Class=]GSKVALMethod::X509[Time=]2022:9:8:13:48:31.574[buildChain=][Error=]GSKVAL_ERR_NO_CHAIN_BUILT[Info=]CN=p8ce.timetodemo.local,OU=Root Certificate,OU=p8ceNode01Cell,OU=p8ceNode01,O=IBM,C=US[Cert=][Issuer=]CN=p8ce.timetodemo.local,OU=Root Certificate,OU=p8ceNode01Cell,OU=p8ceNode01,O=IBM,C=US[#=]049b6e566b2e85[Subject=]CN=p8ce.timetodemo.local,OU=Root Certificate,OU=p8ceNode01Cell,OU=p8ceNode01,O=IBM,C=US[=Cert][=buildChain]
[Class=]GSKVALMethod::PKIX[Time=]2022:9:8:13:48:31.574[buildChain=][Error=]GSKVAL_ERR_NO_CHAIN_BUILT[Info=]CN=p8ce.timetodemo.local,OU=Root Certificate,OU=p8ceNode01Cell,OU=p8ceNode01,O=IBM,C=US[Cert=][Issuer=]CN=p8ce.timetodemo.local,OU=Root Certificate,OU=p8ceNode01Cell,OU=p8ceNode01,O=IBM,C=US[#=]049b6e566b2e85[Subject=]CN=p8ce.timetodemo.local,OU=Root Certificate,OU=p8ceNode01Cell,OU=p8ceNode01,O=IBM,C=US[=Cert][=buildChain]
To solve this you need to check the SSL certificates within your plugin CMS keystore.
First you need to verify the personal certificate in the WebSphere keystore
Navigate to SSL certificate and key management > Key stores and certificates > NodeDefaultKeyStore > Personal certificates and verify the serial number of the signer certificate of the personal certificate.
Now navigate to the WebSphere truststore signer certificates and check the serial number of the root signer certificate to match the previous noticed one from the keystore.
SSL certificate and key management > Key stores and certificates > NodeDefaultTrustStore > Signer certificates > root
Export this as base64 encoded certificate.
Now navigate to the Plugin CMS keystore personal certificate.
SSL certificate and key management > Key stores and certificates > CMSKeyStore > Personal certificates
Check the serial number of the signer certificate to match that from the WebSphere truststore.
So the personal certificate in the CMSKeystore matches the personal certificate from WebSphere and have the same root signer.
Now navigate into the CMSKeystore signer certificates. Check if the root signer certificate does have the same serial number as the one from WebSphere truststore. If not that delete the current root signer certificate and import the one you previously exported.
SSL certificate and key management > Key stores and certificates > CMSKeyStore > Signer certificates > root
Now you need to copy the plugin CMSKeystore to the webserver directory.
Navigate to Web servers > www_p8ce > Plug-in properties and click on “Copy to Web server key store directory”
Restart your WebSphere instances and the HTTP server and the problem should be solved.