SecurID® Discussions

Browse the SecurID discussion board to get product help and collaborate with other SecurID users.

Securid SDK 8.2 Bad Certificate

Hi... we've SecurID 8.2 SP1 patch 7, SDK 8.2 SP1 for java, Tomcat 8, Java 1.8 an we did import  Securid CA certificate into tomcat kestore and set the parameter. So, we try connect our API, but the system return: Certificate not verified.

After debug catalina, the detailed error is:

Certificate validation failed with message: Parameters must be PKIXParameters or be CertPathWithOCSPParameters containing PKIXOParameters.


Can any some idea about them?




5 Replies

Hello  Rodrigo,


Make sure that you imported the root certificate not the server certificate inside tomcat keystore (check below steps)


  1. Launch Internet Explorer, and go to the following URL: https://server_name:7002. The Error 404 page appears.
  2. Right click anywhere on the Error 404 page and select Properties.
  3. In the Properties dialog box, click Certificates.
  4. In the Certificate dialog box, select the Certification Path tab.
  5. Click the top item in the certificate path.
  6. Click View Certificate.
  7. In the Certificate dialog box, click the Details tab.
  8. Click Copy to File.
  9. On the Certificate Export Wizard page, click Next.
  10. On the Export File Format page, select DER encoded binary X.509 (.CER), and click Next.
  11. On the File to Export page, click Browse.
  12. Browse to a location to store the root certificate, enter am_root.cer in the File name field, make sure that Save as type is DER Encoded Binary X.509(*.cer), and click Save.
  13. On the File to Export page, click Next.
  14. On the Completing the Certificate Export page, click Finish.
  15. Click OK.

If you are using SSL EJB connection, make sure you use the below Java system properties in the Java command line:


For SSL SOAP Connection, please check below:



Best regards.

Omar Allam

Hi Omar...


We did import the root certificate ( the debug show negotiation with them). And we change the java_opts to include (our app server is Tomcat).


Any idea?




Hello Rodrigo,


Run the below command from the location where you have the keystore to list the certificate and confirm that the certificate inside the keystore has the same fingerprint that on the AM root certificate.


keytool -list -keystore <XXX>.jks



Best regards.

Omar Allam

Trusted Contributor Trusted Contributor
Trusted Contributor

You might also run some tests starting the Tomcat server with "". Alternatively, you could limit the output by using "ssl:trustmanager" in place of "all".


Some other options are available in the JSSE Reference Guide - Debugging Utilities

Hello Piers...



I did it, and after reinstall java (no make changes into security

providers) this work now.



But the authentication API need changes into security providers.



Looks like incompatibility beeteewn FIPS and not FIPS.



Some one have this issue?