Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ACE SSL - bad certificate message

hello guys,

I have basic www/https LB configuration on the ACE. in my lab was all working. now, in production, I have a problem with https connection. in sniffer output I can see after 3way handshake this:

SSLv3: Alert (Level: Fatal, description: Bad certificate)

what does it mean? I think, my SSL chain is correct (it's a certificate for the service and root certificate) - how can I verify certification chain? (analogous to CSM module).

thanks,

martin

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: ACE SSL - bad certificate message

Hi,

The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See http://www.openssl.org/docs/apps/verify.html

Example:

C:\ACE\WIP\Myfiles>c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775

75.pem

cert_1250577575.pem: OK

Openssl also provides for changing the format if necessary.

HTH

Cathy

4 REPLIES
Bronze

Re: ACE SSL - bad certificate message

If i recall correct you verify a cert with...

crypto verify

in enable mode.

I don't have an ACE here right now so i can't check. But give it a try.

Roble

New Member

Re: ACE SSL - bad certificate message

yes, with 'crypto verify ...' it's possible verify certificate and key pair. but how it's possible verify full certification chain (ca-root-cert, ca-cert, service-cert)?

the problem is solved - there was really bad certificate (but cert/key matched).

Silver

Re: ACE SSL - bad certificate message

Hi,

The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See http://www.openssl.org/docs/apps/verify.html

Example:

C:\ACE\WIP\Myfiles>c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775

75.pem

cert_1250577575.pem: OK

Openssl also provides for changing the format if necessary.

HTH

Cathy

New Member

Re: ACE SSL - bad certificate message

yes, of course. openssl has this possibility, ACE hasn't (CSM has this possibility, maybe in new releases comes to ACE also).

thanks,

martin

524
Views
0
Helpful
4
Replies