Hi Bob,
The fact that it is indicating 100% decode failures most likely its wrong server key /unsupported cipher suite. We dont support traffic encrypted using diffie-hellman.
Two things you can do is
1. Run modulus on the actual server certificate (by logging to the webserver box) and compare it to the ouput of the modulus on the CEM PEM certificate to confirm if it matches. If they dont then most likely you have a wrong server key converted to PEM
For example:-
Run the open ssl on the server certificate using the command
C:\tmp>c:\cygwin\bin\openssl x509 -noout -modulus -in <server.crt>
Modulus=F2A583ECF07FED008EB5A29FE5A02A82C14B4B39A00A6027C350074DAB7C97580F7D
ACCB
F00CD0573D7874B4080B23BA1D2246A2A2D063D287B283DE8D273CC05979EA759102A1713EE7
8F14
192F4BDB06652E9379192DAF41F2C48A862C88E9FE8E844C9D92FE5AD1E48096C6D7A56401BF
D2D1
FE517242E71100E053E9169BD94815DED9CB3DC8F3526903EB4A9C955BF1236CCB7F6958E9A6
B641
BF2BE6543D1DB96DCD5CC725EBDE2A12CDC02AEA78FC855AB75DECE8808CB6540752033BCF72
64C6
531700A0238F77F4A87512BB92AA5A3A7C75C21BDDEC1DBA511860C2C4A8F875B30768238676
62B4
9FDB6D72E78C1D732800C29A53A2A09558EDF199
Run the open ssl on the certificate uploaded to the UI
C:\tmp>c:\cygwin\bin\openssl x509 -noout -modulus -in <cem PEM crt>
Modulus=B621595645165751B7A8E4A40797029B4F1234B22B4FB932E66EAAC9495B28BA4E0C
B4CF
05B531BC9A4AD6495DF5DA2A47F7526BF747395432C32CA92A58A73067CEBA25417C5F54A4C2
0097
C77B2BEBB1AA0F8694DA9E0CDD2FA246BB65EA8A80FD10DC901017C7B3B17B1BD302EC1DE9A7
23F2
E1BAB541688859D092467342670BDEB9F02A703743076DA6159CDE52C712DB66EDBF968AEB62
A3E5
472D5286DA26ED018091E6AA77AE97740797B5366EB55898C90E2DC60D6962D815DEA678AF43
E629
2D1374C9C96DCEE23B722A01BFB1E651B150A79A681FCB0943602FD39B60B19E7100F31813C0
F4F6
C1C013D4E509D4B1EDE2D0FE29A2919908E7FC4B
If there is a mismatch as indicated above its wrong KEY
2. Dump on the cipher traffic used by the application and see if it use DHE cipher
You can use
http://www.serversniff.net/sslcheck.php to check the default cipher
3, Enable the SSL Errors/connections from the TIM trace options in the TIM set up page, check for any SSL errors in the TIM logs
Regards
Vijay