Skip Ribbon Commands
Skip to main content
Navigate Up
Sign In

Quick Launch

Average Rating:

(14 Ratings)
facebook Twitter
Print Bookmark Alert me when this article is updated


"PMWS_33016 Web Service invoker encountered an error while invoking the Web Service: SSL certificate problem, verify that the CA cert is OK" running a PowerExchange for Web Services session
Problem Description

The following error occurs when running a PowerCenter session with a Web Services Consumer source or transformation:

[PMWS_33016] [ERROR] Web Service invoker encountered an error while invoking the Web Service. Reason: SSL certificate problem, verify that the CA cert is OK. Details:
error: 14090086: SSL routines: SSL3_GET_SERVER_CERTIFICATE: certificate verify failed


The session may also fail with this error:

Reason: Unknown SSL protocol error in connection

This issue occurs due to changes made in the Certificate options in PowerExchange for Web Services.
All Cert Authentication Certificates issued by major trusted certificate authorities (such as Verisign) are stored in the ca-bundle.crt file.

If the certificate bundle does not contain a certificate from a Certificate Authority that the Web Service Provider uses, you can convert the certificate of the Web Service Provider to PEM format and append it to the ca-bundle.crt file.
The private key for a client certificate must be in PEM format.


To add a certificate to the trust certificates file, do the following:

  1. Use Internet Explorer or any other browser to locate the certificate and create a copy:
    1. Go to the target URL using HTTPS (Example: This is the same https that you use on the mapping/session.
    2. Double-click the padlock icon in the status bar of Internet Explorer.
    3. In the Certificate dialog box, click the Details tab.
    4. Choose All from the list.
    5. Click Copy to File. 
    6. Use the Certificate Export Wizard to copy the certificate in DER format.

  2. Convert the certificate from DER to PEM format. You can use the openssl commands to convert the certificates to the PEM format. The download links for openssl is in the Reference section of this KB article.


    openssl x509 -in server.der -inform DER -out server.pem -outform PEM

  3. Append the PEM certificate file to the certificate bundle, ca-bundle.crtThis file is located in <PowerCenter Install Folder>/server/bin.  Edit the ca-bundle.crt file in any text editor such as notepad, and add the certificate contents along with the label PEM Data:

    The label PEM Data: must be included for every certificate that you append. Check the existing ca-bundle.crt file for the format.


    PEM Data:
    -----END CERTIFICATE-----

Web Services with a Chain of Certificates

If the secure Web Service contains a chain of trusted certificates, then it is necessary to add each certificate in the chain to the trusted certificates file up to the ROOT.
Repeat steps 1-3 above for every certificate in the chain.


In the following example, the steps need to be repeated for the UTN root certificate and the Network Solutions CA certificate:

More Information

You can append data for multiple authentication certificates in the same ca-bundle.crt file which is present in the <PowerCenter Install Folder>/server/bin directory.


In some cases, the session might fail with "Reason: Unknown SSL protocol error in connection" even after updating the certificates from the browser. To resolve such errors, re-generate the certificate data by running the below openSSL command:


openssl s_client -connect host:port -showcerts > certinfo.txt




openssl s_client -connect -showcerts > certinfo.txt
Edit the certinfo.txt and copy each certificate text from ----BEGIN CERTIFICATE----- until ------END CERTIFICATE-------, and append the text to ca-bundle.crt with
PEM Data label
Applies To
Product: PowerCenter; PowerExchange
Problem Type:
User Type: Administrator; Developer
Project Phase:
Product Version: PowerExchange for Web Services 8.6; PowerExchange for Web Services 8.6.1; PowerExchange for Web Services 9.0; PowerExchange for Web Services 9.0.1; PowerExchange for Web Services 9.1
Operating System:
Other Software:


For more details on Certificates, refer to Chapter 2 of the PowerExchange for Web Services User and Administrator Guide.

OpenSSL for Windows can be downloaded from:

The file to download and execute is: Complete package, except sources - Setup

For more information about adding certificates to the ca-bundle.crt file, see the curl documentation at:

CR 98205

Last Modified Date:4/22/2015 10:32 PMID:18153
People who viewed this also viewed


Did this KB document help you?

What can we do to improve this information (2000 or fewer characters)