ACE SSL - bad certificate message

Answered Question
Jul 10th, 2008
User Badges:

hello guys,

I have basic www/https LB configuration on the ACE. in my lab was all working. now, in production, I have a problem with https connection. in sniffer output I can see after 3way handshake this:


SSLv3: Alert (Level: Fatal, description: Bad certificate)


what does it mean? I think, my SSL chain is correct (it's a certificate for the service and root certificate) - how can I verify certification chain? (analogous to CSM module).


thanks,

martin

Correct Answer by ciscocsoc about 8 years 9 months ago

Hi,


The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See http://www.openssl.org/docs/apps/verify.html


Example:


C:\ACE\WIP\Myfiles>c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775

75.pem

cert_1250577575.pem: OK


Openssl also provides for changing the format if necessary.


HTH


Cathy



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
Roble Mumin Fri, 07/11/2008 - 09:06
User Badges:
  • Bronze, 100 points or more

If i recall correct you verify a cert with...


crypto verify


in enable mode.


I don't have an ACE here right now so i can't check. But give it a try.


Roble

Martin Kyrc Sun, 07/13/2008 - 21:32
User Badges:

yes, with 'crypto verify ...' it's possible verify certificate and key pair. but how it's possible verify full certification chain (ca-root-cert, ca-cert, service-cert)?


the problem is solved - there was really bad certificate (but cert/key matched).

Correct Answer
ciscocsoc Mon, 07/14/2008 - 00:37
User Badges:
  • Silver, 250 points or more

Hi,


The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See http://www.openssl.org/docs/apps/verify.html


Example:


C:\ACE\WIP\Myfiles>c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775

75.pem

cert_1250577575.pem: OK


Openssl also provides for changing the format if necessary.


HTH


Cathy



Martin Kyrc Wed, 07/16/2008 - 01:15
User Badges:

yes, of course. openssl has this possibility, ACE hasn't (CSM has this possibility, maybe in new releases comes to ACE also).


thanks,

martin

Actions

This Discussion