custom clientssl profile not working & giving warning to clients.

what warning does the client get?

it could have something to do with the hostname and what the certificate is good for. could you share that information?

if not just check yourself what the hostname is you going to and what the certificate CN is. remember that with a *.domain.com wildcard certificate you usually cant use it on domain.com

A client side certificate error is usually one of three things. The certificate that the server has presented to the client in the SSL handshake:

1. Is expired or invalid in some way.

    

2. Its x509 subject (or subjectAltName) is not the same host name that the client requested (this also happens when you access by IP address).

    

3. Is not trusted. A client OS/browser will have an explicitly stored list of trusted certificate authority certificates. When the server presents its certificate to the client, the client must be able to establish a complete trust chain with that certificate from the certificates in its store. So for example, if you have a 3-level certificate architecture (CA -> subCA -> issued certs), but the client only has the root CA in its trust store, the client would be unable to build a complete chain. Perhaps the easiest thing to do here is download the server's cert to the affected client machine and open it up. If Windows, go to the Certificate Path tab of the Certificate viewer to see if the client can build the path to the root CA.

    

For what it's worth, bundle certificates, chain parameters, and trusted and advertised certificate authority options are all only required when the client is passing a certificate to the server. These settings are not used when the server is passing a certificate to the client.

Thanks. It is working now somehow.

We got wrong bundle and hence it was creating issue. We added correct bundle in Chain parameter and it started working fine. Thanks.