cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2246
Views
0
Helpful
3
Replies

ACE-SSL Certificate chain broken

Ulrich Hansen
Level 1
Level 1

Hi,

I'm looking into a problem, where various clients (mostly Android-devices) complain about a "broken certificate chain" when accessing a secure website. The ACE handles ssl-offload and the configuration pertaining to the ssl-proxy service is a follows:

crypto chaingroup cg-vsign-test

  cert vsign-ca-root-cert.cer

  cert vsign-ca-intmed-cert.cer

parameter-map type ssl pmap-ssl-cipher-128MD5

  cipher RSA_WITH_RC4_128_MD5

ssl-proxy service sslpxy-mobilbank-test

  key c100-t-mbbk-070311-key.pem

  cert c100-t-mbbk-070311-cert.pem

  chaingroup cg-vsign-test

  ssl advanced-options pmap-ssl-cipher-128MD5

I'm no authority on certificates and cannot as such validate the content of the certificate-files. I just receive them and install 'em according to the SSL-configuration guide.

But whenever a client, which does not hold the Root- and intermediate certificate on its own, attempts to access the site in question, it complains about a broken certificate chain.

Are there any specific guidelines as far as making ACE expose the entire certificate chain during ssl-handshake?

Thanks

/Ulrich

3 Replies 3

tkumarag
Cisco Employee
Cisco Employee

Hi

Do you have chance of testing this with PCs (not mobile devices) ? Does it work for PCs ? is this problem only for Mobile devices ?

if it's only for mobile devices, please make sure certs are in the order under the chain group "show crypto chaingroup cg-vsign-test" .

As in the below URL

"Typically, it is not necessary to add the  certificates to the chain group in any type of hierarchical order  because the device that verifies the certificates determines the correct  order. However, some mobile devices may not be able to order the  certificates properly and will display an error message. In this case,  you need to add the certificates to the chain group in the correct  order. "

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp999546

rgds

Hi,

Thanks for replying.

I've done some testing from a PC and it works fine, no failure messages.

The 'sh crypto chaingroup cg-vsign-test' returns the following:

vsign-ca-root-cert.cer:

  Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

  Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

vsign-ca-intmed-cert.cer:

  Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3

  Issuer: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=(c) 2006 VeriSign, Inc. - For authorized use only/CN=VeriSign Class 3 Public Primary Certification Authority - G5

Again, I'm not an expert on certificates, but if I'm looking at the chaingroup and the above reflects the order of the certificates in the chaingroup, the root-cert preceeds the intermediate-cert and I take it, that this is the correct order. This problem does not apply to all mobile devices. Evidently iPhone customers are not experiencing this. However, some Firefox 4 computers are also affected.

/Ulrich

Problem solved!

The chaingroup has a misconfiguration, the root certificate preceeded the intermediate certificate in the order. Corrected the chaingroup config and can now present a full unbroken certificate-chain.

/Ulrich

Review Cisco Networking for a $25 gift card