https://community.cisco.com/t5/application-networking/ace-ssl-bad-certificate-message/m-p/936106#M18397 <P>hello guys,</P><P>I have basic www/https LB configuration on the ACE. in my lab was all working. now, in production, I have a problem with https connection. in sniffer output I can see after 3way handshake this: </P><P></P><P>SSLv3: Alert (Level: Fatal, description: Bad certificate)</P><P></P><P>what does it mean? I think, my SSL chain is correct (it's a certificate for the service and root certificate) - how can I verify certification chain? (analogous to CSM module).</P><P></P><P>thanks,</P><P>martin</P> Thu, 10 Jul 2008 12:49:39 GMT Martin Kyrc 2008-07-10T12:49:39Z https://community.cisco.com/t5/application-networking/ace-ssl-bad-certificate-message/m-p/936106#M18397 <P>hello guys,</P><P>I have basic www/https LB configuration on the ACE. in my lab was all working. now, in production, I have a problem with https connection. in sniffer output I can see after 3way handshake this: </P><P></P><P>SSLv3: Alert (Level: Fatal, description: Bad certificate)</P><P></P><P>what does it mean? I think, my SSL chain is correct (it's a certificate for the service and root certificate) - how can I verify certification chain? (analogous to CSM module).</P><P></P><P>thanks,</P><P>martin</P> Thu, 10 Jul 2008 12:49:39 GMT https://community.cisco.com/t5/application-networking/ace-ssl-bad-certificate-message/m-p/936106#M18397 Martin Kyrc 2008-07-10T12:49:39Z https://community.cisco.com/t5/application-networking/ace-ssl-bad-certificate-message/m-p/936107#M18398 <HTML><HEAD></HEAD><BODY><P>If i recall correct you verify a cert with...</P><P></P><P>crypto verify <KEYFILE> <CERTFILE></CERTFILE></KEYFILE></P><P></P><P>in enable mode.</P><P></P><P>I don't have an ACE here right now so i can't check. But give it a try.</P><P></P><P>Roble</P></BODY></HTML> Fri, 11 Jul 2008 16:06:27 GMT https://community.cisco.com/t5/application-networking/ace-ssl-bad-certificate-message/m-p/936107#M18398 Roble Mumin 2008-07-11T16:06:27Z https://community.cisco.com/t5/application-networking/ace-ssl-bad-certificate-message/m-p/936108#M18399 <HTML><HEAD></HEAD><BODY><P>yes, with 'crypto verify ...' it's possible verify certificate and key pair. but how it's possible verify full certification chain (ca-root-cert, ca-cert, service-cert)?</P><P></P><P>the problem is solved - there was really bad certificate (but cert/key matched).</P></BODY></HTML> Mon, 14 Jul 2008 04:32:19 GMT https://community.cisco.com/t5/application-networking/ace-ssl-bad-certificate-message/m-p/936108#M18399 Martin Kyrc 2008-07-14T04:32:19Z https://community.cisco.com/t5/application-networking/ace-ssl-bad-certificate-message/m-p/936109#M18400 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See <A class="jive-link-custom" href="http://www.openssl.org/docs/apps/verify.html" target="_blank">http://www.openssl.org/docs/apps/verify.html</A></P><P></P><P>Example:</P><P></P><P>C:\ACE\WIP\Myfiles&gt;c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775</P><P>75.pem</P><P>cert_1250577575.pem: OK</P><P></P><P>Openssl also provides for changing the format if necessary.</P><P></P><P>HTH</P><P></P><P>Cathy</P><P></P><P></P></BODY></HTML> Mon, 14 Jul 2008 07:37:07 GMT https://community.cisco.com/t5/application-networking/ace-ssl-bad-certificate-message/m-p/936109#M18400 ciscocsoc 2008-07-14T07:37:07Z https://community.cisco.com/t5/application-networking/ace-ssl-bad-certificate-message/m-p/936110#M18401 <HTML><HEAD></HEAD><BODY><P>yes, of course. openssl has this possibility, ACE hasn't (CSM has this possibility, maybe in new releases comes to ACE also).</P><P></P><P>thanks,</P><P>martin</P></BODY></HTML> Wed, 16 Jul 2008 08:15:31 GMT https://community.cisco.com/t5/application-networking/ace-ssl-bad-certificate-message/m-p/936110#M18401 Martin Kyrc 2008-07-16T08:15:31Z