Troubleshooting the import of an invalid certificate in SSL Visibility appliance.

book

Article ID: 168641

calendar_today

Updated On:

Products

SSL Visibility Appliance Software

Issue/Introduction

When attempting to install a certificate after getting it signed, the certificate may not install correctly.  You may get a pop-up window that states that you are attempting to install an invalid certificate.  The System Log is not very clear as to why this happened.  

Cause

The cause may be that the certificate was not signed correctly.  One thing that you can do to verify this is to review the certificate you are installing, and look within the details of the certificate.  Under the Basic Constraint, verify what the Subject Type is.  Often times the certificate is signed wrong.  It may signed as an end entity, say a web server, “Subject Type=End Entity”.  This will fail install. 

Recall, that in order for a resigning to happen, the certificate on the
SSL Visibility appliance has to be a subordinate CA.  It must have a Basic Constraint of “Subject Type=CA”.  You may also verify that the Certificate Template name is SubCA, as in subordinate CA.

Another cause may be that the certificate that you are trying to install is signed, but it is not from the CSR that you provided.  To verify this you can do some checking on the signed certificate and the original CSR that you created on the
SSL Visibility appliance appliance.  

Verify that the CN or Common name are same via the Issue to: field on the General Properties tab of the signed certificate.  Also, on the Details tab of signed certificate, within the Subject field, check and see if the details you created within the CSR with and the details of the SCR match.

Resolution

The Certificate Signing Request must be signed properly as a subordinate CA.