LightWave Solutions: TLS connections may fail when when self-signed certificates are installed in the Intermediate Certificate store

Modified on Wed, 13 Dec 2023 at 07:55 AM


In both LightWave Client and LightWave Server, when Server Certificates are imported, and the option to import intermediate certificates is selected, any certificates contained in the PKCS12 import file that are in addition to the server certificate, are installed in the Intermediate Certificate store. If any of the certificates installed are self-signed certificates, this can subsequently cause issues with building the certificate chain that is returned to the client application during the TLS handshake. This issue manifests as TLS errors in the client application when trying to establish a connection to the LightWave Console or LightWave Server services.

The issue does not always occur and depends on the order of installation of the intermediate certificates.

For more information on using server certificates with LightWave solutions see Using Server Certificates with LightWave Solutions

Affected Versions

  • LightWave Server version 1.1.6 and earlier versions.
  • LightWave Client version 1.2.6 and earlier versions.

Fixed Versions

  • The fix for this version is scheduled for the March 2024 maintenance release of the products.


There are two problems in LightWave that cause this problem to occur:

  • The import process should not install self-signed certificates.
  • The certificate chain build process stops prematurely when a self-signed certificate is encountered in the Intermediate Certificate store, resulting in an incomplete certificate chain being returned to the client during the TLS handshake.

The workaround is to remove the self-signed certificates after the import process is completed. This can be done either from the Console or using LWSCOM or LWCCOM. An alternate workaround is to manually install the necessary intermediate certificates. 

A self-signed certificate is one in which the subject and issuer fields are identical. These examples show self-signed certificates in the LightWave Server Console and LWSCOM output:

tacl> run lwscom info certificate *, detail

Any self-signed certificates found in the Intermediate Certificate store should be removed by deleting the certificate.

An alternate workaround is to not use the intermediate certificate import option when importing the PKCS12 file. Then extract the additional certificates from the PKCS12 file provided by your certificate authority and manually install the necessary intermediate certificates. Intermediate certificates are often provided as PEM files with the server certificate package or may be available for download from the certificate authority web site. Refer to the information provided by your certificate authority to determine which intermediate certificates should be installed. Manual installation of the intermediate certificates can be completed before installing the server certificate.


Note that self-signed "ROOT" certificates should not be manually installed as intermediate certificates. These certificates are typically installed on the client and are used for server certificate validation. This is true for any HTTP server using TLS.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article