Forum Discussion
LIH_admin_22571
Nimbostratus
NimbostratusNeed value for session.ssl.cert.valid
Hello all,
Anyone capable of giving me the meaning of session.ssl.cert.valid with value 20 ?
I found some informations about this field, but not the possible values, that would help a lot ...
Kevin_Stewart
Employee
EmployeeOkay, so just to be clear, you previously said,
RCA1 (called RCA1-CA) certificate issuer is self (since it is the root)
SCA1 (called xxx-SCA1-CA) issuer is RCA1-CA
And you had RCA1 as the trusted certificate authority and SCA1 as the advertised certificate authority. This is incorrect. You need BOTH certificates in a single bundle file and applied to the trusted certificate authorities selection. A bundle is a single text file that contains the PEM versions of multiple certificates. Example:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
So in your case, you'd need to create a bundle file that contains:
RCA1
SCA1
The advertised certificate authority selection plays no part in the validation of the client certificate. The difference between the different browsers may have to do with whether or not these browsers have copies of both CA certs, and whether or not they send them in the TLS handshake. Most browser clients will send the client certificate, and any available subordinate CAs (but not the root CA) to the server, in case the server doesn't have these. If you do an SSLDUMP on the client side, you'll probably see the difference - some browsers will send the client cert only, and some will send the client cert and a subordinate CA (or CAs). The better option is to always have these CA certs available in the trusted bundle, not relying the client to send them.