Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 309
  • Last Modified:

SSL certicate issue, is it a domain name issue?

I have a third party SSL cert that I'm using for one of my websites (https access). The website is behind my firewall.

External, public DNS name of the url is mysite.com and has a public address which is mapped to an internal IP of the website.

The SSL cert contains the name: mysite.com (matching the public DNS record)

The internal name of site is mysite.home.com

Users are getting this error when they connect:

SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Is this because the internal FQDN name does not match the external name that's on the SSL cert?
0
iamuser
Asked:
iamuser
1 Solution
 
ahoffmannCommented:
the SSL endpoint must be mysite.com, then the user will not get an certificate error
mysite.com must be the web server where your certificate is stored
0
 
Dave HoweCommented:
That's a Certificate Chain error there, not a name missmatch.
Check the internal users are allowed to reach the intermediate certificate listed in the authority access field on the certificate, or in the alternative (if you don't want them having access to that) download it and push it out via group policy?
0
 
nociSoftware EngineerCommented:
for certificates you need to get everithing right.

Chain must validate, the top CA certificate must be trusted.
The current date must be valid on all certificates in the chain.
The subject of the service certificate must match the name that is used as hostname.
The Certificate is checked BEFORE any data (like http host: header tag) is tranferred.
0
 
iamuserAuthor Commented:
So the problem is that internal users are not reaching the server that's holds the CA certificate?
0
 
nociSoftware EngineerCommented:
No they are reaching the server but they cannot validate all ceritificate.

(click the icon left of the url for an explanation, and check the certificate chain )

Top most certificate must be trusted & valid
-- intermediate certificate - must be valid
  -- intermediate certificate  - must be valid
    -- server certificate must containt the hostname & be valid.

For your server certificate:

mysite.home.com        for internal users
mysite.com                   for external users...

So you need a certificate that contains BOTH names.
(Subject Alternate Name / SAN certificate)

And, no, you cannot have more than ONE certificate for each IP addres/Portnumer pair.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now