Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1636
Views
0
Helpful
4
Replies

ACE SSL - bad certificate message

Go to solution
Martin Kyrc
Level 3
Level 3

‎07-10-2008 05:49 AM

hello guys,

I have basic www/https LB configuration on the ACE. in my lab was all working. now, in production, I have a problem with https connection. in sniffer output I can see after 3way handshake this:

SSLv3: Alert (Level: Fatal, description: Bad certificate)

what does it mean? I think, my SSL chain is correct (it's a certificate for the service and root certificate) - how can I verify certification chain? (analogous to CSM module).

thanks,

martin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ciscocsoc
Level 4
Level 4
In response to Martin Kyrc

‎07-14-2008 12:37 AM

Hi,

The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See http://www.openssl.org/docs/apps/verify.html

Example:

C:\ACE\WIP\Myfiles>c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775

75.pem

cert_1250577575.pem: OK

Openssl also provides for changing the format if necessary.

HTH

Cathy

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Roble Mumin
Level 3
Level 3

‎07-11-2008 09:06 AM

If i recall correct you verify a cert with...

crypto verify

in enable mode.

I don't have an ACE here right now so i can't check. But give it a try.

Roble

0 Helpful

Go to solution
Martin Kyrc
Level 3
Level 3
In response to Roble Mumin

‎07-13-2008 09:32 PM

yes, with 'crypto verify ...' it's possible verify certificate and key pair. but how it's possible verify full certification chain (ca-root-cert, ca-cert, service-cert)?

the problem is solved - there was really bad certificate (but cert/key matched).

0 Helpful

Go to solution
ciscocsoc
Level 4
Level 4
In response to Martin Kyrc

‎07-14-2008 12:37 AM

Hi,

The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See http://www.openssl.org/docs/apps/verify.html

Example:

C:\ACE\WIP\Myfiles>c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775

75.pem

cert_1250577575.pem: OK

Openssl also provides for changing the format if necessary.

HTH

Cathy

0 Helpful

Go to solution
Martin Kyrc
Level 3
Level 3
In response to ciscocsoc

‎07-16-2008 01:15 AM

yes, of course. openssl has this possibility, ACE hasn't (CSM has this possibility, maybe in new releases comes to ACE also).

thanks,

martin

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Top