Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1379
Views
0
Helpful
1
Replies

ACE does not recognize 2048 bit certificate as trusted?

Isegrimm24
Level 1
Level 1

‎12-16-2011 03:46 AM - edited ‎03-09-2019 11:44 PM

Hi, I have bought and installed a 2048bit certificate from Thawte on a ACE20-MOD-K9 module. The appliance can't use it and gives the following error: "This certificate cannot be verified up to a trusted certfication authority."

I have contacted Thawte about this and they suggest to install an intermediate certificate from Thawte on the module, but I can't find such a certicicate for Cisco on their site. Also I'm not sure how to go about implementing such an intermediate certificate on the ACE.

Anyone encountered such a problem? How did you solve it?

Any help is much appreciated, thanks in advance.

Sent from Cisco Technical Support iPad App

Labels:
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-26-2011 08:37 PM

Use Thawte's intermediate certificate for an Apache server. That should work fine.

Thawte's intermediate certificate can be found here:

https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO15464

Also, per ACE documentation (and my experience):

Note

When you make a change to a chain-group certificate, the change takes effect only after you respecify the associated chain group in the SSL proxy service using the chaingroup command. See the "Creating and Defining an SSL Proxy Service" section in Chapter 3, Configuring SSL Termination.

Hope this helps.

p.s., I found the tool at:

http://www.digicert.com/help/

to be more useful than Thawte's (or Verisign's) for strictly checking your chaingroup validity. Many modern browsers will allow you to have out of order chaingroup certificates. However, some older (and mobile handset) devices will throw an error if your certificates are improperly chained.

0 Helpful
Customers Also Viewed These Support Documents