ACE-SSL Certificate chain broken

Ulrich Hansen · ‎08-10-2011

Hi,

I'm looking into a problem, where various clients (mostly Android-devices) complain about a "broken certificate chain" when accessing a secure website. The ACE handles ssl-offload and the configuration pertaining to the ssl-proxy service is a follows:

crypto chaingroup cg-vsign-test

cert vsign-ca-root-cert.cer

cert vsign-ca-intmed-cert.cer

parameter-map type ssl pmap-ssl-cipher-128MD5

cipher RSA_WITH_RC4_128_MD5

ssl-proxy service sslpxy-mobilbank-test

key c100-t-mbbk-070311-key.pem

cert c100-t-mbbk-070311-cert.pem

chaingroup cg-vsign-test

ssl advanced-options pmap-ssl-cipher-128MD5

I'm no authority on certificates and cannot as such validate the content of the certificate-files. I just receive them and install 'em according to the SSL-configuration guide.

But whenever a client, which does not hold the Root- and intermediate certificate on its own, attempts to access the site in question, it complains about a broken certificate chain.

Are there any specific guidelines as far as making ACE expose the entire certificate chain during ssl-handshake?

Thanks

/Ulrich

tkumarag · ‎08-10-2011

Hi

Do you have chance of testing this with PCs (not mobile devices) ? Does it work for PCs ? is this problem only for Mobile devices ?

if it's only for mobile devices, please make sure certs are in the order under the chain group "show crypto chaingroup cg-vsign-test" .

As in the below URL

"Typically, it is not necessary to add the certificates to the chain group in any type of hierarchical order because the device that verifies the certificates determines the correct order. However, some mobile devices may not be able to order the certificates properly and will display an error message. In this case, you need to add the certificates to the chain group in the correct order. "

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA4_1_0/configuration/ssl/guide/certkeys.html#wp999546

rgds

Ulrich Hansen · ‎08-10-2011

Hi,

Thanks for replying.

I've done some testing from a PC and it works fine, no failure messages.

The 'sh crypto chaingroup cg-vsign-test' returns the following:

vsign-ca-root-cert.cer:

vsign-ca-intmed-cert.cer:

Subject: /C=US/O=VeriSign, Inc./OU=VeriSign Trust Network/OU=Terms of use at https://www.verisign.com/rpa (c)10/CN=VeriSign Class 3 International Server CA - G3

Again, I'm not an expert on certificates, but if I'm looking at the chaingroup and the above reflects the order of the certificates in the chaingroup, the root-cert preceeds the intermediate-cert and I take it, that this is the correct order. This problem does not apply to all mobile devices. Evidently iPhone customers are not experiencing this. However, some Firefox 4 computers are also affected.

/Ulrich

Ulrich Hansen · ‎08-11-2011

Problem solved!

The chaingroup has a misconfiguration, the root certificate preceeded the intermediate certificate in the order. Corrected the chaingroup config and can now present a full unbroken certificate-chain.

/Ulrich