SSL Client Certification Alert 46 Unknown CA
We are seeing 'Alert 46 Unknown CA' as part of the initial TLS handshake between client & server. From a wireshark capture, the 1st Client Hello is visible, followed by the 'server hello, certificate, server key exchange, certificate request, hello done'. As part of this exchange, TLS version 1.2 is agreed, along with the agreed cypher. The next packet in the flow is an ACK from the source, followed by Alert (Fatal), Description: Certificate Unknown. I cannot see anywhere in the capture a certificate provided by the client
This behaviour occurs regardless of the client authentication/client certificate setting (ignore/request/require).
I have ran openssl s_client -connect x.x.x.x:443 as a test (from the BIG-IP) and I see the server side certs and 'No client certificate CA names sent' which is expected as no client cert sent.
The end client has not reinstalled the client certificate as yet (3 day lead time).
Are there any additional troubleshooting steps I can undertake to confirm the client is either rejecting the server certificate and therefore not returning the client certificate?
Cool. If it's a web based application and browser is the client then yes it would be present. But if it's API call with server to server communication they might need to install it explicitly.
Also, other thing I would check on the F5 clientssl profile, if CA cert is correctly added to the chain (in case it's not bundled with the server cert)? Meanwhile, please verify that part as well.