EAP_TLS not successful, getting X509 decrypt error - certificate signature failure

s.pantula · ‎05-09-2013

Hi

I am trying EAP-TLS authentication on ACS 5.1.

I have placed the Root CA of the device certitifcate on ACS.

But getting this error.

OpenSSLErrorMessage=SSL alert
code=0x233=563 ; source=local ; type=fatal ; message="X509 decrypt error - certificate signature failure"
OpenSSLErrorStack= 3055889312:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:s3_srvr.c:2649

Can anyone help in debugging the issue, is it problem with Device's root CA certificate or anything else

Thanks

Jatin Katyal · ‎05-09-2013

Only SHA2 256-bit certificate digest algorithm is supported by ACS 5.2 and above.

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp157364

Jatin Katyal

- Do rate helpful posts -

~Jatin

edwjames · ‎05-09-2013

Hi Smita,

Similar post but with ISE:

https://supportforums.cisco.com/thread/2135392

Are we using SHA 2 certs anywhere here?

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.2/release/notes/acs_52_rn.html#wp157364

ACS 5.2 supports SHA 256.

Rate if useful

**Share your knowledge. It’s a way to achieve immortality. --Dalai Lama** Please Rate if helpful. Regards Ed

s.pantula · ‎05-09-2013

Thanks for you prompt help.

The root CA certificates are using SHA256, I also searched and found that this error could be becoz of using SHA256,

Thanks for reply and confirming.

Jatin Katyal · ‎05-10-2013

Your welcome! Please upgrade the ACS to the latest code, if you have that option available.

Jatin Katyal

- Do rate helpful posts -

~Jatin