Forum Discussion

NUCUSER's avatar
NUCUSER
Icon for Cirrus rankCirrus
Apr 14, 2021

SSL Client Certification Alert 46 Unknown CA

We are seeing 'Alert 46 Unknown CA' as part of the initial TLS handshake between client & server. From a wireshark capture, the 1st Client Hello is visible, followed by the 'server hello, certificate...
application delivery
BIG-IP
LTM
security
  • spalande's avatar
    spalande
    Apr 15, 2021

    Cool. If it's a web based application and browser is the client then yes it would be present. But if it's API call with server to server communication they might need to install it explicitly.

    ​Also, other thing I would check on the F5 clientssl profile, if CA cert is correctly added to the chain (in case it's not bundled with the server cert)? Meanwhile, please verify that part as well.

  • NUCUSER's avatar
    NUCUSER
    Apr 21, 2021

    Update - Thanks for all your suggestions, most helpful!! This turned out to be a client side cert password issue, client cert re-installed and now working.

spalande's avatar
spalande
Icon for Nacreous rankNacreous

Cool. If it's a web based application and browser is the client then yes it would be present. But if it's API call with server to server communication they might need to install it explicitly.

​Also, other thing I would check on the F5 clientssl profile, if CA cert is correctly added to the chain (in case it's not bundled with the server cert)? Meanwhile, please verify that part as well.

NUCUSER's avatar
NUCUSER
Icon for Cirrus rankCirrus
Apr 16, 2021

Hi Sanjay, is there anyway to test confirm the certificate chain on the server side?

 

The SSL certificate chain comprises of /common/wildcard.company123.com.crt/Common/wildcard.company123.com.key /Common/digicert_inter.crt

 

The Intermediate CA chain is specified in the client ssl profile (trusted certificate authorities) is XYX_Int_CA_Chain.crt. This crt is present on the F5 along with the wildcard.company123.com.crt cert

 

Thanks