1 2 3 Previous Next 36 Replies Latest reply on Sep 18, 2009 1:07 PM by 800484 Go to original post
      • 15. Re: SEC_ERROR_CA_CERT_INVALID
        800484
        receivables wrote:
        This is what I get after loading the certificate on web server
        mycertificate u,u,u
        VeriSign, Inc. - VeriSign, Inc. CT,,

        In App. Server, this is what I get
        mycertificate u,u,u
        Verisign Class 3 Public Primary Certification Authority c,c,c
        VeriSign, Inc. - VeriSign, Inc. CT,,
        These trust flags look ok. For server certificates u,u,u is ok. For CA certificates, trust flags should be CT.

        You can try modifying trust flag of this "Verisign Class 3 Public Primary Certification Authority" to "CTu,CTu,CTu"

        You can use certutil to modify these flags.
        $certutil -M              Modify trust attributes of certificate
           -n cert-name   The nickname of the cert to modify
           -t trustargs      Set the certificate trust attributes:
                                  p      valid peer
                                  P      trusted peer (implies p)
                                  c      valid CA
                                  T      trusted CA to issue client certs (implies c)
                                  C      trusted CA to issue server certs (implies c)
                                  u      user cert
                                  w      send warning
           -d certdir        Cert database directory
           -P dbprefix     Cert & Key database prefix
        In my Admin Server instance, I see certificates with these flags:
        $certutil -L -d .
        Admin-Server-Cert    u,u,u
        Admin-Client-Cert      u,u,u
        Admin-CA-Cert         CTu,u,u
        clientcacert               CT,,
        • 16. Re: SEC_ERROR_CA_CERT_INVALID
          800484
          receivables wrote:
          And in the web server's log the error is error sending request (SEC_ERROR_CA_CERT_INVALID: Issuer certificate is invalid.)
          I checked NSS Code, it has something to do with issuer privilege (I do not know what it is) or Basic Contraints of isCA of the server certificate.
          /security/nss/lib/certhigh/certvfy.c located @ [http://mxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfy.c|http://mxr.mozilla.org/security/source/security/nss/lib/certhigh/certvfy.c]
          445     switch (last_type) {
          446       case cbd_User:
          ...
          451         /* now check for issuer privilege */
          452         if ((rv != SECSuccess) || ((priv & 0x10) == 0)) {
          ...
          454             PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
          ...
          458       case cbd_CA:
          459         if ((priv & 0x20) == 0) {
          ...
          461             PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
          ...
          691             if ( basicConstraint.isCA == PR_FALSE ) {
          692                 PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
          ...
          790             if (  !isca  ) {
          791                 PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
          ...
          968         if ( basicConstraint.isCA == PR_FALSE ) {
          969             PORT_SetError (SEC_ERROR_CA_CERT_INVALID);
          ....
          1031         if (!isca) {
          1032             PORT_SetError(SEC_ERROR_CA_CERT_INVALID);
          ...
          For my Admin Server CA certificate, I see Basic Constraints if CA.
          $certutil -L -d . -n Admin-CA-Cert
          ...
                  Signed Extensions:
                      Name: Certificate Basic Constraints
                      Critical: True
                      Data: Is a CA with a maximum path length of -2.
          ...
          $certutil -L -d . -n clientcacert
          ...
                  Signed Extensions:
                      Name: Certificate Type
                      Data: <SSL CA,S/MIME CA,ObjectSigning CA>
                      Name: Certificate Basic Constraints
                      Critical: True
                      Data: Is a CA with a maximum path length of 10.
          ...
          • 17. Re: SEC_ERROR_CA_CERT_INVALID
            807807
            1. do we need to have server certificate and instance name should exactly the same or not?
            No. It is only necessary that the CN value in the certificate's subject DN has the same name as that of the host value in the URL used to access the instance.
            For example, if you had to access your instance as foo.bar.com then the CN value of the certificate's subject DN should be foo.bar.com even if your instance name is uatweb.mycompany.com.
            Please mention the steps for creating an another instance.
            Only 1 instance can be created per configuration in any given m/c (host).
            In other words, if you want another instance in the same m/c for the same configuration then it's not allowed/supported/possible.
            One way could be to clone the configuration (with a different name) and then create an instance for the new configuration on the same m/c. You can use the administrative interfaces to clone a configuration.

            HTH.
            • 18. Re: SEC_ERROR_CA_CERT_INVALID
              807567
              I got the exception like

              'webserver host appserver does not match the name of the certificate'
              • 19. Re: SEC_ERROR_CA_CERT_INVALID
                800484
                Can you send the exact line you are seeing in error logs so I can search in code base? (replace confidential machine names with abc or def)
                • 20. Re: SEC_ERROR_CA_CERT_INVALID
                  807567
                  Even though we try to chang the attributes as you said CTu,CTu,CTu, it still showing CT,C,C

                  In the error log it shows

                  CORE1251: On HTTP listener http-listener-1, server name web.uat.webservname.com does not match subject uat.mycerticate.com of certificate uat.mycerticate.com.
                  [21/Jan/2009:12:42:32] warning (19122): CORE1250: In secure virtual server web.uat.webservname.com , host app.uat.appservername.com does not match subject uat.mycerticate.com of certificate uat.mycerticate.com.

                  Above:
                  mycertifciate.com is nothing but the certifcateurlname
                  webservername: web.uat.webservname.com
                  Appservername: app.uat.appservername.com

                  Could you please let me know what is wrong?

                  Thanks and appreciate your help.
                  • 21. Re: SEC_ERROR_CA_CERT_INVALID
                    807567
                    Would you please throw a light on this?
                    • 22. Re: SEC_ERROR_CA_CERT_INVALID
                      800484
                      receivables wrote:
                      Even though we try to chang the attributes as you said CTu,CTu,CTu, it still showing CT,C,C
                      Yeah it will show u if key is also in the db. its ok. ignore.
                      • 23. Re: SEC_ERROR_CA_CERT_INVALID
                        800484
                        mv wrote:
                        receivables wrote:
                        This is what I get after loading the certificate on web server
                        mycertificate u,u,u
                        VeriSign, Inc. - VeriSign, Inc. CT,,
                        One more thing, can you check
                        $certutil -L -d . -n mycertificate
                        and
                        $certutil -L -d . -n "VeriSign, Inc. - VeriSign, Inc."
                        If they have basic constraints does it have CA somewhere?
                        • 24. Re: SEC_ERROR_CA_CERT_INVALID
                          807567
                          Here is
                          ../../../lib/certutil -L -d . -n "VeriSign, Inc. - VeriSign, Inc."
                          Certificate:
                          Data:
                          Version: 3 (0x2)

                          Signed Extensions:
                          Name: Certificate Basic Constraints
                          Data: Is a CA with a maximum path length of 0.

                          Name: Certificate Policies
                          Data:
                          Policy Name: Verisign User Notices
                          Policy Qualifier Name: PKIX CPS Pointer Qualifier
                          Policy Qualifier Data: "https://www.verisign.com/CPS"

                          Name: Extended Key Usage
                          TLS Web Server Authentication Certificate
                          TLS Web Client Authentication Certificate
                          Strong Crypto Export Approved
                          OID...
                          Name: Certificate Key Usage
                          Usages: Certificate Signing
                          CRL Signing

                          Name: Certificate Type
                          Data: <SSL CA,S/MIME CA>

                          Name: CRL Distribution Points
                          URI: "http://crl.verisign.com..


                          Certificate Trust Flags:
                          SSL Flags:
                          Valid CA
                          Trusted CA
                          Trusted Client CA
                          Email Flags:
                          Object Signing Flags:

                          and

                          here is our certificate

                          ../../bin/certutil -L -d . -n uat.mywebservercertifcate.com
                          Certificate:
                          Subject: "CN=uat.mywebservercertifcate.com,OU=testing,O=myCompany,L=I,ST=G,C=US"

                          Signed Extensions:
                          Name: Certificate Subject Alt Name
                          DNS name: "uat.mywebservercertifcate.com"

                          Name: Certificate Basic Constraints
                          Data: Is not a CA.

                          Name: Certificate Key Usage
                          Usages: Digital Signature
                          Key Encipherment

                          Name: CRL Distribution Points
                          URI: "http://crl.verisign.com/..
                          Name: Certificate Policies
                          Data:
                          Policy Name: Verisign Class 3 Certificate Policy
                          Policy Qualifier Name: PKIX CPS Pointer Qualifier
                          Policy Qualifier Data: "https://www.verisign.com.."

                          Name: Extended Key Usage
                          Strong Crypto Export Approved
                          TLS Web Server Authentication Certificate
                          TLS Web Client Authentication Certificate

                          Name: Authority Information Access
                          Method: PKIX Online Certificate Status Protocol
                          Location:
                          URI: "http://ocsp.verisign.com..




                          Certificate Trust Flags:
                          SSL Flags:
                          User
                          Email Flags:
                          User
                          Object Signing Flags:
                          User


                          Would you please help us to resolve this issue?
                          Tell me what should i do in order to move further.
                          • 25. Re: SEC_ERROR_CA_CERT_INVALID
                            800484
                            One more question is App. Server server certificate "VeriSign, Inc. - VeriSign, Inc." or "Verisign Class 3 Public Primary Certification Authority" ?

                            I see you have 2 certificates in App. Server :
                            "Verisign Class 3 Public Primary Certification Authority" c,c,c
                            VeriSign, Inc. - VeriSign, Inc. CT,,

                            As far as I remember you said App. Server certificate was self signed. What does the App. Server return when you connect to it via ssltap ? Refer [http://blogs.sun.com/jyrivirkki/entry/observing_ssl_requests|http://blogs.sun.com/jyrivirkki/entry/observing_ssl_requests] . Do you get 2 certificates or 1? (you wills ee cert.001 and cert.002 etc. getting created)
                            • 26. Re: SEC_ERROR_CA_CERT_INVALID
                              807567
                              It is required to import web server certificates into application server.

                              I have created self-signed certificate from app.server and then exported into web server. The web server certificate is imported into app. server.

                              This is how we configured it.
                              • 27. Re: SEC_ERROR_CA_CERT_INVALID
                                807567
                                Yes. we have two verisign certificates which comes along with our certificate.
                                • 28. Re: SEC_ERROR_CA_CERT_INVALID
                                  807567
                                  Given that you have configured web server as a reverse proxy, you will find a entry similar to the following in the <instance-name>-obj.conf.
                                  <Object name="reverse-proxy-/">
                                  Route fn="set-origin-server" server="http://abc.com:<port_number>"
                                  </Object>
                                  The value of the server parameter (i.e http://abc.com:<port_number>) is the application server hostname and you have to make sure that the subject name of the certificate on the application server is EXACTLY the same as being specified here.

                                  Hope this helps!!
                                  • 29. Re: SEC_ERROR_CA_CERT_INVALID
                                    807567
                                    Thanks for all your inputs. I really appreciate.

                                    I did all the steps but I got the same exception.

                                    I have valid Verisign CA certificate along with my certificate which is installed on web server. In the application server side we have generated self-signed certificate as subject name of the application server hostname. Is that correct?

                                    I have configured reverse proxy too pointing to application server host name. I have tested SSL in local machine by generating self-signed certificate in both web and app server. But when I do the steps in real certificate in UAT environment causing the exception.

                                    Could you please throw me a light on this?