Solved

SSL certicate issue, is it a domain name issue?

Posted on 2013-05-23
5
294 Views
Last Modified: 2013-07-11
I have a third party SSL cert that I'm using for one of my websites (https access). The website is behind my firewall.

External, public DNS name of the url is mysite.com and has a public address which is mapped to an internal IP of the website.

The SSL cert contains the name: mysite.com (matching the public DNS record)

The internal name of site is mysite.home.com

Users are getting this error when they connect:

SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

Is this because the internal FQDN name does not match the external name that's on the SSL cert?
0
Comment
Question by:iamuser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
5 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 39193471
the SSL endpoint must be mysite.com, then the user will not get an certificate error
mysite.com must be the web server where your certificate is stored
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 39193606
That's a Certificate Chain error there, not a name missmatch.
Check the internal users are allowed to reach the intermediate certificate listed in the authority access field on the certificate, or in the alternative (if you don't want them having access to that) download it and push it out via group policy?
0
 
LVL 40

Expert Comment

by:noci
ID: 39193679
for certificates you need to get everithing right.

Chain must validate, the top CA certificate must be trusted.
The current date must be valid on all certificates in the chain.
The subject of the service certificate must match the name that is used as hostname.
The Certificate is checked BEFORE any data (like http host: header tag) is tranferred.
0
 

Author Comment

by:iamuser
ID: 39250113
So the problem is that internal users are not reaching the server that's holds the CA certificate?
0
 
LVL 40

Accepted Solution

by:
noci earned 500 total points
ID: 39251464
No they are reaching the server but they cannot validate all ceritificate.

(click the icon left of the url for an explanation, and check the certificate chain )

Top most certificate must be trusted & valid
-- intermediate certificate - must be valid
  -- intermediate certificate  - must be valid
    -- server certificate must containt the hostname & be valid.

For your server certificate:

mysite.home.com        for internal users
mysite.com                   for external users...

So you need a certificate that contains BOTH names.
(Subject Alternate Name / SAN certificate)

And, no, you cannot have more than ONE certificate for each IP addres/Portnumer pair.
0

Featured Post

Building an interactive eFuture classroom

Watch and learn how ATEN provided a total control system solution including seamless switching matrix switch, HDBaseT extenders, PDU, lighting control to build an interactive eFuture classroom.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Certificate Verification Error for Yahoo Mail 3 170
Review of a VPN cert policy 4 58
FTP welcome message 7 62
Migrate SQL 2005 DB to SQL 2016 4 28
Article by: kevp75
Hey folks, 'bout time for me to come around with a little tip. Thanks to IIS 7.5 Extensions and Microsoft (well... really Windows 8, and IIS 8 I guess...), we can now prime our Application Pools, when IIS starts. Now, though it would be nice t…
One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question