07-10-2008 05:49 AM
hello guys,
I have basic www/https LB configuration on the ACE. in my lab was all working. now, in production, I have a problem with https connection. in sniffer output I can see after 3way handshake this:
SSLv3: Alert (Level: Fatal, description: Bad certificate)
what does it mean? I think, my SSL chain is correct (it's a certificate for the service and root certificate) - how can I verify certification chain? (analogous to CSM module).
thanks,
martin
Solved! Go to Solution.
07-14-2008 12:37 AM
Hi,
The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See http://www.openssl.org/docs/apps/verify.html
Example:
C:\ACE\WIP\Myfiles>c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775
75.pem
cert_1250577575.pem: OK
Openssl also provides for changing the format if necessary.
HTH
Cathy
07-11-2008 09:06 AM
If i recall correct you verify a cert with...
crypto verify
in enable mode.
I don't have an ACE here right now so i can't check. But give it a try.
Roble
07-13-2008 09:32 PM
yes, with 'crypto verify ...' it's possible verify certificate and key pair. but how it's possible verify full certification chain (ca-root-cert, ca-cert, service-cert)?
the problem is solved - there was really bad certificate (but cert/key matched).
07-14-2008 12:37 AM
Hi,
The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See http://www.openssl.org/docs/apps/verify.html
Example:
C:\ACE\WIP\Myfiles>c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775
75.pem
cert_1250577575.pem: OK
Openssl also provides for changing the format if necessary.
HTH
Cathy
07-16-2008 01:15 AM
yes, of course. openssl has this possibility, ACE hasn't (CSM has this possibility, maybe in new releases comes to ACE also).
thanks,
martin
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: