Client Authentication in SSL VPN-Plus fails if client certificate is signed by intermediate CA
Article ID: 309101
Updated On:
Products
VMware NSX for vSphere
Issue/Introduction
Symptoms:
- Client Authentication in SSL VPN-Plus fails if client certificate is signed by intermediate CA.
- Client Authentication in SSL VPN-Plus is enabled.
- Client certificate is used which is signed by intermediate CA for Client Authentication.
- SSL VPN-Plus portal returns 400 Bad Request because of certificate error:
400 Bad Request
The SSL certificate error
The SSL certificate error
- If SSL VPN logging level is info or debug, similar error such as below at edge log can be seen:
YYYY-MM-DDThh:mm:ss+00:00 edge-0 nginx: [local7.info] YYYY/MM/DD hh:mm:ss [info] ####: *# client SSL certificate verify error: (2:unable to get issuer certificate) while reading client request headers, client: #.#.#.#, server: , request: "GET / HTTP/1.1", host: "####"
Environment
VMware NSX for vSphere 6.4.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x
VMware NSX for vSphere 6.2.x
VMware NSX for vSphere 6.3.x
Cause
SSL VPN-Plus does not support using client certificate which is signed by intermediate CA by design.
Resolution
Use client certificate which is signed by root CA.
Feedback
Yes
No
Powered by
