• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1578
  • Last Modified:

Certificate import on Zyxel SSL 10

i got a certificate problem with my new Zyxel SSL 10 box that i hope someone can help me to solve.

I have tried to create a certificate on the SSL box and export this for signing with GoDaddy.
Everything works fine except when i try to import the sign certificate back to the SSL box.
It fails with the error message  "Unable to get local issuer certificate".

I have also tried to first import GoDaddy's intermediate certificate, but get the same error message.

Could there be a problem that I'm using local address on the WAN
interface when the DN name in the certificate is registered to a official adress?
I have not have this problem in Microsoft IIS.

  • 2
1 Solution
ParanormasticCryptographic EngineerCommented:
Typically your WAN should be your public 'official' IP address.  Do you have this address on a different interface on it (LAN side)?  If so, then it depends on how zyxel handles that scenario.

The cert needs to match the IP address(es) that you are accessing, or a DNS name that you use.  If you need multiple, you can get a SAN cert (a.k.a. multi-domain or UC) to have multiple names in one.

If you issue a cert to the public IP and it isn't valid for the box it is installed on, it will generate a name mismatch warning.

Okay, so that being said... the cert should install anyways, regardless of the name.  The name issue only comes up when the clients access it for validation.

The message you have points to an issue with not handling GoDaddy's root cert.  Presumably they sent their root certificate chain to you along with your server cert.  Import the root CA and intermediate CA cert to the zyxel if possible, if you can only do one then use the root.  Sometimes you may need to paste them both into the same window, with the intermediate starting on the next line (no blank spaces) after the root, like this:
----begin cert ---
root cert text
----end cert ----
----begin cert---
intermediate cert text
----end cert----

I think that's all there is for godaddy offhand, if there is a 3rd+ tier then add that after and so forth.

Can check to make sure you have current firmware 2.00, even if you just bought it...

I wish they had better documentation for this product online, neither version of the user guide shows the commercial cert method from what I'm seeing.  They both just get into how to import the self-signed into the browser.

If none of this solved the issue, I would try contacting GoDaddy's support and/or Zyxel's support and see if they are able to help out.  I doubt you're the first person to try a godaddy cert on a zyxel device.

Otherwise, I would suggest maybe looking at another vendor that is in the root store already.  Their documentation mentions Verisign, Comodo, and Network Solutions as examples of commercial vendors, so if you cannot view the root store to be sure who is actually on the list, I would try those three, personally I would recommend Comodo.  Since you're having an issue getting the cert to install, try contacting the vendor's sales team and see if they can hook you up with a test cert so you can make sure you have compatibilty prior to purchase.

Assuming you just got the cert, you should be able to get a refund if you can't get the godaddy cert working.  I think they do 14 days from purchase if memory serves, but don't quote me.
elit2007Author Commented:
Wow, thank's for a exellent answer! I forgot to tell that I already have been talking to Zyxel support but there wasn't much usefull help to get there. But thank's to you i don't care, because my problem is solved :0) All i had to do was import the root certificate and than everything worked :0) Thank's again!!!
I think I should post the soultion in Zyxel forum so other people know what to do, as you mention the zyxel manual sucks!
ParanormasticCryptographic EngineerCommented:
Always glad to help - feel free to cross-post, I'm just here to help so it doesn't put me out any.  If my answer can help out more people, that makes things even better.
Hi, New to Experts Exchange so apologies if this should be posted as a new question. I have exactly the same problem as elit2007. I would like to know what type of certificate you used from Go Daddy, Apache, IIS, Tomcat etc. How and what did you import as the root certificate, I have tried all sorts of combinations and still cannot import sucessfully. Any help gratefully received.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now