07-10-2008 05:49 AM
hello guys,
I have basic www/https LB configuration on the ACE. in my lab was all working. now, in production, I have a problem with https connection. in sniffer output I can see after 3way handshake this:
SSLv3: Alert (Level: Fatal, description: Bad certificate)
what does it mean? I think, my SSL chain is correct (it's a certificate for the service and root certificate) - how can I verify certification chain? (analogous to CSM module).
thanks,
martin
Solved! Go to Solution.
07-14-2008 12:37 AM
Hi,
The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See http://www.openssl.org/docs/apps/verify.html
Example:
C:\ACE\WIP\Myfiles>c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775
75.pem
cert_1250577575.pem: OK
Openssl also provides for changing the format if necessary.
HTH
Cathy
07-11-2008 09:06 AM
If i recall correct you verify a cert with...
crypto verify
in enable mode.
I don't have an ACE here right now so i can't check. But give it a try.
Roble
07-13-2008 09:32 PM
yes, with 'crypto verify ...' it's possible verify certificate and key pair. but how it's possible verify full certification chain (ca-root-cert, ca-cert, service-cert)?
the problem is solved - there was really bad certificate (but cert/key matched).
07-14-2008 12:37 AM
Hi,
The openssl code has a verify function which will check a certificate against a chain. The chain needs to be a concatentation of pem format certificates and your certificate also needs to be in pem format. See http://www.openssl.org/docs/apps/verify.html
Example:
C:\ACE\WIP\Myfiles>c:\openssl\bin\openssl verify -CAfile chain.pem cert_12505775
75.pem
cert_1250577575.pem: OK
Openssl also provides for changing the format if necessary.
HTH
Cathy
07-16-2008 01:15 AM
yes, of course. openssl has this possibility, ACE hasn't (CSM has this possibility, maybe in new releases comes to ACE also).
thanks,
martin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide