Forum Discussion
SSL Client Certification Alert 46 Unknown CA
- Apr 15, 2021
Cool. If it's a web based application and browser is the client then yes it would be present. But if it's API call with server to server communication they might need to install it explicitly.
Also, other thing I would check on the F5 clientssl profile, if CA cert is correctly added to the chain (in case it's not bundled with the server cert)? Meanwhile, please verify that part as well.
- Apr 21, 2021
Update - Thanks for all your suggestions, most helpful!! This turned out to be a client side cert password issue, client cert re-installed and now working.
Hi Sanjay, Thanks. We have asked the client to confirm however intermediate cert is digicert so would expect they have.
Cool. If it's a web based application and browser is the client then yes it would be present. But if it's API call with server to server communication they might need to install it explicitly.
Also, other thing I would check on the F5 clientssl profile, if CA cert is correctly added to the chain (in case it's not bundled with the server cert)? Meanwhile, please verify that part as well.
- NUCUSERApr 16, 2021Cirrus
Hi Sanjay, is there anyway to test confirm the certificate chain on the server side?
The SSL certificate chain comprises of /common/wildcard.company123.com.crt/Common/wildcard.company123.com.key /Common/digicert_inter.crt
The Intermediate CA chain is specified in the client ssl profile (trusted certificate authorities) is XYX_Int_CA_Chain.crt. This crt is present on the F5 along with the wildcard.company123.com.crt cert
Thanks
- spalandeApr 16, 2021Nacreous
Yes, if VIP is internet facing easy way would be to check on https://www.sslshopper.com/ssl-checker.html It would show if chain is correctly installed.
Other way would be to check on the browser itself and it should show the error if chain is not correctly installed (something sort of it can't trust the authority of the certificate)
- NUCUSERApr 16, 2021Cirrus
Thanks - this check comes back as all good.
- spalandeApr 16, 2021Nacreous
cool and any feedback on the client end if they have intermediate CA installed on their end?
- NUCUSERApr 16, 2021Cirrus
client have found a 'possible' cause, waiting on further info from client. Will keep you posted - tks for your steer..
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com