Forum Discussion
16 Replies
- Kevin_StewartEmployee
A few questions:
-
Is this a multi-level PKI (ie. root CA -> subordinate CA -> subordinate CA -> subject)?
-
If so, do you have the complete CA chain installed in your CA bundle used in the client SSL profile?
-
Do your Windows machines have all or most of these CAs installed?
-
Do you Mac machines have all or most of these CAs installed?
-
- mrichterNimbostratus
1.) Yes root CA -> sub CA 2.) Yes 3.) Yes 4.) Yes
Another thing to note - if I use a web browser and either do on-demand certificate or request the certificate at the SSL Profile, this works fine.
The issue seems to be with the Edge Client itself.
- Kevin_StewartEmployee
I haven't been able to reproduce your exact error, but have you by chance created an identity preference for your client certificate?
- mrichterNimbostratus
Kevin,
I hadn't previously - just tried the identity preference with the same result.
- kunjanNimbostratus
Does this shed any clue?
security find-identity -p ssl-client -v
- mrichterNimbostratusKunjan - the proper identity does show up - however a second identity shows up as well which shouldn't be used in ssl-client at all.
- mrichterNimbostratusThis looks like the issue - for some reason the Edge-client doesn't seem to loop through the certificates and picks the first one in this. I temporarily deleted the first identity certificate and now things are working as expected. Thoughts on the best way to resolve this?
- kunjan_118660Cumulonimbus
Does this shed any clue?
security find-identity -p ssl-client -v
- mrichterNimbostratusKunjan - the proper identity does show up - however a second identity shows up as well which shouldn't be used in ssl-client at all.
- mrichterNimbostratusThis looks like the issue - for some reason the Edge-client doesn't seem to loop through the certificates and picks the first one in this. I temporarily deleted the first identity certificate and now things are working as expected. Thoughts on the best way to resolve this?
- kunjanNimbostratus
How about cli using
security set-identity-preference -s "https://vpn.domain.com/" -n -c "username or common name"
- mrichterNimbostratusI believe this may have been solved previously, but just in case anyone else runs into it the issue was the multiple client certificates being available. Methods to resolve are forcing the client to use a particular certificate when connecting to the VPN or properly marking the "Match Issuer" field in the Machine Cert Auth policy. Thanks for the help Kunjan and Kevin
- kunjan_118660Cumulonimbus
How about cli using
security set-identity-preference -s "https://vpn.domain.com/" -n -c "username or common name"
- mrichterNimbostratusI believe this may have been solved previously, but just in case anyone else runs into it the issue was the multiple client certificates being available. Methods to resolve are forcing the client to use a particular certificate when connecting to the VPN or properly marking the "Match Issuer" field in the Machine Cert Auth policy. Thanks for the help Kunjan and Kevin
- mrichterNimbostratus
I believe this may have been solved previously, but just in case anyone else runs into it the issue was the multiple client certificates being available.
Methods to resolve are forcing the client to use a particular certificate when connecting to the VPN or properly marking the "Match Issuer" field in the Machine Cert Auth policy.
Thanks for the help Kunjan and Kevin
- njseqAltostratus
Hi guys,
I'm having this issue on a particular machine. It has a machine certificate installed and working but Edge Client inspects the machine but does not find it. It gives me that same error: X509_verify_cert failed: error #: 20 at depth 0, error message:unable to get local issuer certificate
What can it be? What is missing? Other machines work fine...
Thanks.
NS