Troubleshooting the import of an invalid certificate in SSL Visibility appliance.
Article ID: 168641
Updated On:
Products
SSL Visibility Appliance Software
Issue/Introduction
When attempting to install a certificate after getting it signed, the certificate may not install correctly. You may get a pop-up window that states that you are attempting to install an invalid certificate. The System Log is not very clear as to why this happened.
Cause
The cause may be that the certificate was not signed correctly. One thing that you can do to verify this is to review the certificate you are installing, and look within the details of the certificate. Under the Basic Constraint, verify what the Subject Type is. Often times the certificate is signed wrong. It may signed as an end entity, say a web server, “Subject Type=End Entity”. This will fail install.
Recall, that in order for a resigning to happen, the certificate on the SSL Visibility appliance has to be a subordinate CA. It must have a Basic Constraint of “Subject Type=CA”. You may also verify that the Certificate Template name is SubCA, as in subordinate CA.
Another cause may be that the certificate that you are trying to install is signed, but it is not from the CSR that you provided. To verify this you can do some checking on the signed certificate and the original CSR that you created on the SSL Visibility appliance appliance.
Verify that the CN or Common name are same via the Issue to: field on the General Properties tab of the signed certificate. Also, on the Details tab of signed certificate, within the Subject field, check and see if the details you created within the CSR with and the details of the SCR match.
Recall, that in order for a resigning to happen, the certificate on the SSL Visibility appliance has to be a subordinate CA. It must have a Basic Constraint of “Subject Type=CA”. You may also verify that the Certificate Template name is SubCA, as in subordinate CA.
Another cause may be that the certificate that you are trying to install is signed, but it is not from the CSR that you provided. To verify this you can do some checking on the signed certificate and the original CSR that you created on the SSL Visibility appliance appliance.
Verify that the CN or Common name are same via the Issue to: field on the General Properties tab of the signed certificate. Also, on the Details tab of signed certificate, within the Subject field, check and see if the details you created within the CSR with and the details of the SCR match.
Resolution
The Certificate Signing Request must be signed properly as a subordinate CA.
Feedback
Yes
No
Powered by
