I'm trying to set up exchange messages with PEPPOL, I got SSL-certificate from them and import it to my as4 connector, but when I send messages from them test server I get error:
[Security verification] A wrong certificate is defined in the settings to verify the signature from peppol_test. The right certificate is not yet in the sign/encryption keystore, please import it.A problem occured during processing of inbound AS4 data (Module Processing, FailedAuthentication: EBMS:0101 [ [The inbound message is signed with the wrong certificate. The system expected the certificate with SHA1 fingerprint C1:CB:C9:1C:97:34:85:6C:86:10:62:CB:51:43:A1:8F:FA:B5:E3:AE but found a signature of a certificate with SHA1 fingerprint 0C:E9:91:D0:CE:61:7B:4F:01:AC:BA:06:AB:1D:CE:90:CF:FD:96:12]])
C1:CB:C9:1C:97:34:85:6C:86:10:62:CB:51:43:A1:8F:FA:B5:E3:AE is certificate that I got from PEPPOL and imported to my AS4 connector
0C:E9:91:D0:CE:61:7B:4F:01:AC:BA:06:AB:1D:CE:90:CF:FD:96:12 I don't known and don't have this certificate((((
When I ask them support about this error, they gave me this answer
In Peppol we use the concept of a PKI (Private Key Infrastructure) to establish common trust in the network. We trust all PEPPOL AP/SMP certificates issued by the defined PKI. This is also how your AS4 software must be configured.
When the TestBed sends to you, two certificates are involved in the process, let’s call them:
Corner2 certificate: The certificate of the sending Access Point (AP), in this case the Testbed.
Corner3 certificate: The certificate of the receiving AP, in this case you.
The TestBed, acting as Corner2 in this scenario (Sending AP). Will use your Corner3-certificate to encrypt the transaction. And will use it’s own Corner2-certificate to sign the transaction.
When you receive the transaction your software must be able to decrypt the transactions (using your own private key of the Corner3-certificate which you have available). And you also need to verify the signature of the sending Corner2-certificate. The Corner2-certificate must be resolved dynamically from the transaction, it is there in the payload, but you need to extract it. Then verify that the signature matches and also verify that the certificate is part of the agreed PKI.
The above concept is a bit different from regular AS4 connections, that historically have in many cases been set up on a point to point basis in a hardcoded fashion. Peppol is a dynamic network, you connect once and you are able to exchange transactions with anyone else on the network.
The most important from this answer is "The Corner2-certificate must be resolved dynamically from the transaction, it is there in the payload, but you need to extract it. Then verify that the signature matches and also verify that the certificate is part of the agreed PKI." But I don't know how I can configure it in Mendelson AS4.
Can help anybody me resolve this problem?