I'm having an issue with certificates on Macintosh systems generating this error when attempting to use client certification authentication. I have the proper CA-bundle applied and a similar configuration works fine for Windows machines. I've modified the settings to use System.keychain and updated the certificate issuer to match .* - any thoughts on proper methods to troubleshoot this would be appreciated.

A few questions: Is this a multi-level PKI (ie. root CA -> subordinate CA -> subordinate CA -> subject)? If so, do you have the complete CA chain installed in your CA bundle used in the client SSL profile? Do your Windows machines have all or most of these CAs installed? Do you Mac machines have all or most of these CAs installed?

1.) Yes root CA -> sub CA 2.) Yes 3.) Yes 4.) Yes Another thing to note - if I use a web browser and either do on-demand certificate or request the certificate at the SSL Profile, this works fine. The issue seems to be with the Edge Client itself.

I haven't been able to reproduce your exact error, but have you by chance created an identity preference for your client certificate?

Kevin, I hadn't previously - just tried the identity preference with the same result.

Does this shed any clue? security find-identity -p ssl-client -v

APM: X509_verify_cert failed: error #: 20 at depth 0, error message:unable to get local issuer certificate

16 Replies

Kevin_Stewart
Employee
Aug 05, 2015
A few questions:

Is this a multi-level PKI (ie. root CA -> subordinate CA -> subordinate CA -> subject)?

If so, do you have the complete CA chain installed in your CA bundle used in the client SSL profile?

Do your Windows machines have all or most of these CAs installed?

Do you Mac machines have all or most of these CAs installed?
mrichter
Nimbostratus
Aug 05, 2015
1.) Yes root CA -> sub CA 2.) Yes 3.) Yes 4.) Yes

Another thing to note - if I use a web browser and either do on-demand certificate or request the certificate at the SSL Profile, this works fine.

The issue seems to be with the Edge Client itself.
Kevin_Stewart
Employee
Aug 05, 2015
I haven't been able to reproduce your exact error, but have you by chance created an identity preference for your client certificate?
mrichter
Nimbostratus
Aug 05, 2015
Kevin,

I hadn't previously - just tried the identity preference with the same result.
kunjan
Nimbostratus
Aug 06, 2015
Does this shed any clue?

security find-identity -p ssl-client -v
- mrichter
  Nimbostratus
  Aug 06, 2015
  Kunjan - the proper identity does show up - however a second identity shows up as well which shouldn't be used in ssl-client at all.
- mrichter
  Nimbostratus
  Aug 06, 2015
  This looks like the issue - for some reason the Edge-client doesn't seem to loop through the certificates and picks the first one in this. I temporarily deleted the first identity certificate and now things are working as expected. Thoughts on the best way to resolve this?
kunjan_118660
Cumulonimbus
Aug 06, 2015
Does this shed any clue?

security find-identity -p ssl-client -v
- mrichter
  Nimbostratus
  Aug 06, 2015
  Kunjan - the proper identity does show up - however a second identity shows up as well which shouldn't be used in ssl-client at all.
- mrichter
  Nimbostratus
  Aug 06, 2015
  This looks like the issue - for some reason the Edge-client doesn't seem to loop through the certificates and picks the first one in this. I temporarily deleted the first identity certificate and now things are working as expected. Thoughts on the best way to resolve this?
kunjan
Nimbostratus
Aug 07, 2015
How about cli using

security set-identity-preference -s "https://vpn.domain.com/" -n -c "username or common name"
- mrichter
  Nimbostratus
  Aug 17, 2015
  I believe this may have been solved previously, but just in case anyone else runs into it the issue was the multiple client certificates being available. Methods to resolve are forcing the client to use a particular certificate when connecting to the VPN or properly marking the "Match Issuer" field in the Machine Cert Auth policy. Thanks for the help Kunjan and Kevin
kunjan_118660
Cumulonimbus
Aug 07, 2015
How about cli using

security set-identity-preference -s "https://vpn.domain.com/" -n -c "username or common name"
- mrichter
  Nimbostratus
  Aug 17, 2015
  I believe this may have been solved previously, but just in case anyone else runs into it the issue was the multiple client certificates being available. Methods to resolve are forcing the client to use a particular certificate when connecting to the VPN or properly marking the "Match Issuer" field in the Machine Cert Auth policy. Thanks for the help Kunjan and Kevin
mrichter
Nimbostratus
Aug 17, 2015
I believe this may have been solved previously, but just in case anyone else runs into it the issue was the multiple client certificates being available.

Methods to resolve are forcing the client to use a particular certificate when connecting to the VPN or properly marking the "Match Issuer" field in the Machine Cert Auth policy.

Thanks for the help Kunjan and Kevin
njseq
Altostratus
Nov 27, 2019
Hi guys,
I'm having this issue on a particular machine. It has a machine certificate installed and working but Edge Client inspects the machine but does not find it. It gives me that same error: X509_verify_cert failed: error #: 20 at depth 0, error message:unable to get local issuer certificate
What can it be? What is missing? Other machines work fine...
Thanks.
NS