cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1188
Views
0
Helpful
4
Replies

ACE SSL - bad certificate message

Martin Kyrc
Level 3
Level 3

hello guys,

I have basic www/https LB configuration on the ACE. in my lab was all working. now, in production, I have a problem with https connection. in sniffer output I can see after 3way handshake this:

SSLv3: Alert (Level: Fatal, description: Bad certificate)

what does it mean? I think, my SSL chain is correct (it's a certificate for the service and root certificate) - how can I verify certification chain? (analogous to CSM module).

thanks,

martin

1 Accepted Solution

Accepted Solutions

Hi,

The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See http://www.openssl.org/docs/apps/verify.html

Example:

C:\ACE\WIP\Myfiles>c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775

75.pem

cert_1250577575.pem: OK

Openssl also provides for changing the format if necessary.

HTH

Cathy

View solution in original post

4 Replies 4

Roble Mumin
Level 3
Level 3

If i recall correct you verify a cert with...

crypto verify

in enable mode.

I don't have an ACE here right now so i can't check. But give it a try.

Roble

yes, with 'crypto verify ...' it's possible verify certificate and key pair. but how it's possible verify full certification chain (ca-root-cert, ca-cert, service-cert)?

the problem is solved - there was really bad certificate (but cert/key matched).

Hi,

The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See http://www.openssl.org/docs/apps/verify.html

Example:

C:\ACE\WIP\Myfiles>c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775

75.pem

cert_1250577575.pem: OK

Openssl also provides for changing the format if necessary.

HTH

Cathy

yes, of course. openssl has this possibility, ACE hasn't (CSM has this possibility, maybe in new releases comes to ACE also).

thanks,

martin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: