How to verify the issuer of an EMS client or server certificate when SSL handshaking fails?
Article ID: KB0084530
Updated On:
| Products | Versions |
|---|---|
| TIBCO Enterprise Message Service | - |
| Not Applicable | - |
Description
Description:
SSL handshaking process between EMS client and server fails, due to either client or server authentication failure. Exceptions may include, "unable to get local issuer certificate".
Resolution
EMS client authentication or server authentication involves an SSL handshaking process, including certificate path processing in which the signature on the client or server certificate is verified by using a public key contained in the trusted certificate. A trusted certificate can be a self-signed CA or CA in a certificate chain.
A certificate chain is comprised of multiple certificates. Usually the first certificate is an EMS client or server certificate. Next is one or more CA certificates, and the last one is a self-signed CA. Each certificate (except the last one) matches the Subject of the next certificate in the chain. Each certificate, except the self-signed, should be signed by the private key of the next certificate in the chain. This means the signature in one certificate can be verified with the public key of the next certificate in the chain. SSL handshaking can fail if the certificate's signature can not be verified by the public key of the trusted certificate (CA). The command "openssl verify" can be run to check if certificates are created properly. Refer to https://www.openssl.org/docs/manmaster/apps/verify.html.
Example. In a chain like the following.
server.cert.pem
CA1
server_root.cert.pem
Combine CA1 and server_root.cert.pem into one pem file (i.e., ca.pem).
openssl verify -CAfile ca.pem server.cert.pem
openssl verify -CAfile server_root.cert.pem server.cert.pem
error 20 at 0 depth lookup:unable to get local issuer certificate
(missing CA1)
openssl verify -CAfile server_root.cert.pem CA1
openssl verify -CAfile CA1 server.cert.pem
error 2 at 1 depth lookup:unable to get issuer certificate
(missing server_root.cert.pem)
Option "-issuer_checks" can provide more information in the result.
A certificate chain is comprised of multiple certificates. Usually the first certificate is an EMS client or server certificate. Next is one or more CA certificates, and the last one is a self-signed CA. Each certificate (except the last one) matches the Subject of the next certificate in the chain. Each certificate, except the self-signed, should be signed by the private key of the next certificate in the chain. This means the signature in one certificate can be verified with the public key of the next certificate in the chain. SSL handshaking can fail if the certificate's signature can not be verified by the public key of the trusted certificate (CA). The command "openssl verify" can be run to check if certificates are created properly. Refer to https://www.openssl.org/docs/manmaster/apps/verify.html.
Example. In a chain like the following.
server.cert.pem
CA1
server_root.cert.pem
Combine CA1 and server_root.cert.pem into one pem file (i.e., ca.pem).
openssl verify -CAfile ca.pem server.cert.pem
OK
openssl verify -CAfile server_root.cert.pem server.cert.pem
error 20 at 0 depth lookup:unable to get local issuer certificate
(missing CA1)
openssl verify -CAfile server_root.cert.pem CA1
OK
openssl verify -CAfile CA1 server.cert.pem
error 2 at 1 depth lookup:unable to get issuer certificate
(missing server_root.cert.pem)
Option "-issuer_checks" can provide more information in the result.
Issue/Introduction
How to verify the issuer of an EMS client or server certificate when SSL handshaking fails?
Additional Information
https://tools.ietf.org/html/rfc5280#page-72
https://www.openssl.org/docs/manmaster/apps/verify.html
https://www.openssl.org/docs/manmaster/apps/verify.html
Feedback
Yes
No
Powered by
