Root CA is not working -- how to verify if a certificate/issuer had been updated on server side
search cancel

Root CA is not working -- how to verify if a certificate/issuer had been updated on server side

book

Article ID: 269537

calendar_today

Updated On:

Products

CA API Gateway

Issue/Introduction

To remove the dependency on Intermediate certificates we updated the root CA as trusted anchor and configured the cluster-wide property io.httpsHostAllowWildcard to true also updated io.httpsHostVerify to false. 

The above solutions haven't succeeded when the server certificate is issued by different Intermediate certificate in PROD.

This caused prod issues and we must reload all intermediate certificates to resolve prod issue.


Error in ssg log,

"Unable to obtain HTTP response from https://xxx.xxx.xxx: Server cert cn=yyy found but not trusted for SSL."

Environment

Release : 10.0

Cause

Root CA is not working usually due to the CA changed/replaced the Root CA. Although the common name of the certificate is still the same.

The error message also indicates the server cert, or part of the cert chain is not trunsted for SSL.

To verify if the Root CA had been changed, compare the SHA1 fingerprint of the Root CA stored in the gateway and the one from the backend server.

To show the SHA1 fingerprint of the Root CA stored in the gateway, login policy manager, navigate to "Manage Certificates", open the properties window of the Root CA, click the Details tab.

To show the SHA1 fingerprint of the Root CA from the server side,

1. Find the URL of the signing certificate.

openssl x509 -in (cert) -text

Here is an example for google intermediate certificate "GTS CA 1C3.crt",

openssl x509 -in "GTS CA 1C3.crt" -text

it shows,

            Authority Information Access: 
                OCSP - URI:http://ocsp.pki.goog/gtsr1
                CA Issuers - URI:http://pki.goog/repo/certs/gtsr1.der

so, http://pki.goog/repo/certs/gtsr1.der is the download link of the issuer cert.

 

2. Download the signing certificate to a file (DER format in above example).

curl (url) > (signer.der)

continue above example,

curl http://pki.goog/repo/certs/gtsr1.der> gtsr1.der


3. Convert signing certificate to PEM (X.509) format.

openssl x509 -inform der -in (signer.der) -out (signer.pem)

continue above example,

openssl x509 -inform der -in gtsr1.der -out gtsr1.pem

 

4. Repeat step 1 to 3 to get the Root CA 

 

5. Show sha-1 fingerprint of the issuer

openssl x509 -noout -fingerprint -sha1 -inform pem -in (signer.pem)

continue above example,

openssl x509 -noout -fingerprint -sha1 -inform pem -in gtsr1.pem

Resolution

Download and import the new root CA

Powered by Wolken Software