iamuser
asked on
SSL certicate issue, is it a domain name issue?
I have a third party SSL cert that I'm using for one of my websites (https access). The website is behind my firewall.
External, public DNS name of the url is mysite.com and has a public address which is mapped to an internal IP of the website.
The SSL cert contains the name: mysite.com (matching the public DNS record)
The internal name of site is mysite.home.com
Users are getting this error when they connect:
SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_C ERTIFICATE :certifica te verify failed
Is this because the internal FQDN name does not match the external name that's on the SSL cert?
External, public DNS name of the url is mysite.com and has a public address which is mapped to an internal IP of the website.
The SSL cert contains the name: mysite.com (matching the public DNS record)
The internal name of site is mysite.home.com
Users are getting this error when they connect:
SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_C
Is this because the internal FQDN name does not match the external name that's on the SSL cert?
That's a Certificate Chain error there, not a name missmatch.
Check the internal users are allowed to reach the intermediate certificate listed in the authority access field on the certificate, or in the alternative (if you don't want them having access to that) download it and push it out via group policy?
Check the internal users are allowed to reach the intermediate certificate listed in the authority access field on the certificate, or in the alternative (if you don't want them having access to that) download it and push it out via group policy?
for certificates you need to get everithing right.
Chain must validate, the top CA certificate must be trusted.
The current date must be valid on all certificates in the chain.
The subject of the service certificate must match the name that is used as hostname.
The Certificate is checked BEFORE any data (like http host: header tag) is tranferred.
Chain must validate, the top CA certificate must be trusted.
The current date must be valid on all certificates in the chain.
The subject of the service certificate must match the name that is used as hostname.
The Certificate is checked BEFORE any data (like http host: header tag) is tranferred.
ASKER
So the problem is that internal users are not reaching the server that's holds the CA certificate?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
mysite.com must be the web server where your certificate is stored