Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

SSL certicate issue, is it a domain name issue?

Posted on 2013-05-23
5
Medium Priority
?
304 Views
Last Modified: 2013-07-11
I have a third party SSL cert that I'm using for one of my websites (https access). The website is behind my firewall.

External, public DNS name of the url is mysite.com and has a public address which is mapped to an internal IP of the website.

The SSL cert contains the name: mysite.com (matching the public DNS record)

The internal name of site is mysite.home.com

Users are getting this error when they connect:

SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Is this because the internal FQDN name does not match the external name that's on the SSL cert?
0
Comment
Question by:iamuser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 39193471
the SSL endpoint must be mysite.com, then the user will not get an certificate error
mysite.com must be the web server where your certificate is stored
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39193606
That's a Certificate Chain error there, not a name missmatch.
Check the internal users are allowed to reach the intermediate certificate listed in the authority access field on the certificate, or in the alternative (if you don't want them having access to that) download it and push it out via group policy?
0
 
LVL 40

Expert Comment

by:noci
ID: 39193679
for certificates you need to get everithing right.

Chain must validate, the top CA certificate must be trusted.
The current date must be valid on all certificates in the chain.
The subject of the service certificate must match the name that is used as hostname.
The Certificate is checked BEFORE any data (like http host: header tag) is tranferred.
0
 

Author Comment

by:iamuser
ID: 39250113
So the problem is that internal users are not reaching the server that's holds the CA certificate?
0
 
LVL 40

Accepted Solution

by:
noci earned 1500 total points
ID: 39251464
No they are reaching the server but they cannot validate all ceritificate.

(click the icon left of the url for an explanation, and check the certificate chain )

Top most certificate must be trusted & valid
-- intermediate certificate - must be valid
  -- intermediate certificate  - must be valid
    -- server certificate must containt the hostname & be valid.

For your server certificate:

mysite.home.com        for internal users
mysite.com                   for external users...

So you need a certificate that contains BOTH names.
(Subject Alternate Name / SAN certificate)

And, no, you cannot have more than ONE certificate for each IP addres/Portnumer pair.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
Do you want to know how to make a graph with Microsoft Access? First, create a query with the data for the chart. Then make a blank form and add a chart control. This video also shows how to change what data is displayed on the graph as well as form…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question