cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1775
Views
10
Helpful
4
Replies

EAP_TLS not successful, getting X509 decrypt error - certificate signature failure

s.pantula
Level 1
Level 1

Hi

I am trying EAP-TLS authentication on ACS 5.1.

I have placed the Root CA of the device certitifcate on ACS.

But getting this error.

OpenSSLErrorMessage=SSL alert
code=0x233=563 ; source=local ; type=fatal ; message="X509 decrypt error - certificate signature failure"
OpenSSLErrorStack=  3055889312:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2649

Can anyone help in debugging the issue, is it problem with Device's root CA certificate or anything else

Thanks

4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

Only SHA2 256-bit certificate digest algorithm is supported by ACS 5.2 and above.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp157364

Jatin Katyal


- Do rate helpful posts -

~Jatin

edwjames
Level 3
Level 3

Hi Smita,

Similar post but with ISE:

https://supportforums.cisco.com/thread/2135392

Are we using SHA 2 certs anywhere here?

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp157364

ACS 5.2 supports SHA 256.

Rate if useful

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

s.pantula
Level 1
Level 1

Thanks for you prompt help.

The root CA certificates are using SHA256, I also searched and found that this error could be becoz of using SHA256,

Thanks for reply and confirming.

Your welcome! Please upgrade the ACS to the latest code, if you have that option available.

Jatin Katyal


- Do rate helpful posts -

~Jatin