Why does the Session Log show Certificate Status as Invalid Issuer?

book

Article ID: 168466

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

The SSL Visibility Appliance verifies the validity of server certificate chains before resigning them. This validation process can be used in policy to resign invalid certificates with a CA that clients do not trust, which allows the appliance to decrypt the session but preserve the certificate status.

In order to validate a server certificate chain, the SSL Visibility Appliance must be able to completely rebuild the chain from the server certificate to the root CA. To rebuild the chain, the appliance must be able to access all certificates in the chain as follows:
  1. The endpoint server certificate will always be on the wire.
  2. Any intermediate CAs must either be sent by the server on the wire along with the server certificate, or must be found in the external CA store.
  3. The root CA must be in the SSL Visibility Appliance external CA store.

Cause

There may be cases where an intermediate or root CA is not found in the SSL Visibility Appliance External Certificate Authorities list, which causes "Invalid Issuer certificate status" to be present.

Resolution

This is a result of the external CA list not being updated automatically. At the moment it is only updated periodically and manually. In the interim, if the CA is from a well known CA and is trusted by major browsers, it can be added to the external CA list by importing the PEM file to the all-external-certificate-authorities list.