Skip to Content
0
Former Member
Sep 19, 2012 at 11:49 AM

PI cannot handle irrelevant certificate in chain

640 Views

Hi.

I have a problem establishing SSL communication with a 3rd party webservice from PI. The certificate chain contains 4 certificates, but two of them is on the same "level", and this seems to be a problem for PI:

- *.<3rd_party_domain>.com (signed by GlobalSign Organization Validation CA - G2)

- GlobalSign Domain Validation CA - G2 (signed by GlobalSign Root CA)

- GlobalSign Organization Validation CA - G2 (signed by GlobalSign Root CA)

- GlobalSign Root CA

When I open the certificate in Windows IE, only three certificate are shown. The Domain certificate is neglected.

I tried to fire on the webservice from a Windows client (soapUI), and it shows 3 certificates (the top three - Root certificate is not shown).

In XPI Inspector I get the following.

What can I do to make PI accept the irrelevant Domain certificate?

Regards

Rasmus

---

Found Certificate chain with 3 elements:

Certificate #0

SubjectDN: CN=*.<3rd_party_doman>.com,O=...<snip>..

IssuerDN: CN=GlobalSign

Organization Validation CA - G2,O=GlobalSign nv-sa,C=BE

Certificate #1

SubjectDN: CN=GlobalSign Domain Validation CA - G2,O=GlobalSign

nv-sa,C=BE

IssuerDN: CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign

nv-sa,C=BE

Certificate #2

SubjectDN: CN=GlobalSign Organization Validation CA -

G2,O=GlobalSign nv-sa,C=BE

IssuerDN: CN=GlobalSign Root CA,OU=Root

CA,O=GlobalSign nv-sa,C=BE

Begin Analyzing Certificate Chain:

The certificate #0 was signed by the certificate #2

The certificate with DN = {CN=GlobalSign Domain Validation CA - G2,O=GlobalSign nv-sa,C=BE} appears to be signed by {CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE}, however, the signing certificate was not provided in the chain.

The certificate with DN = {CN=GlobalSign Organization Validation CA - G2,O=GlobalSign nv-sa,C=BE} appears to be signed by {CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE}, however, the signing certificate was not provided in the chain.

End Analyzing Certificate Chain.

Begin IAIK

Debug:

ssl_debug(59): Starting handshake (iSaSiLk 4.1)...

ssl_debug(59): Sending v3 client_hello message, requesting version 3.2...

ssl_debug(59): Received v3 server_hello handshake message.

ssl_debug(59): Server selected SSL version 3.1.

ssl_debug(59): Server created new session 9B:AD:96:18:3F:47:B2:E4...

ssl_debug(59): CipherSuite selected by server: SSL_RSA_WITH_3DES_EDE_CBC_SHA

ssl_debug(59): CompressionMethod selected by server: NULL

ssl_debug(59): Received certificate handshake message with server certificate.

ssl_debug(59): Server sent a 2048 bit RSA certificate, chain has 3 elements.

ssl_debug(59): ChainVerifier: Found a trusted certificate, returning true

ssl_debug(59): Received server_hello_done handshake message.

ssl_debug(59): Sending client_key_exchange handshake message (2048 bit)...

ssl_debug(59): Sending change_cipher_spec message...

ssl_debug(59): Sending finished message...

ssl_debug(59): Received change_cipher_spec message.

ssl_debug(59): Received finished message.

ssl_debug(59): Session added to session cache.

ssl_debug(59): Handshake completed, statistics:

ssl_debug(59): Read 3827 bytes in 5 records, wrote 426 bytes in 4 records.

ssl_debug(59): Shutting down SSL layer...

ssl_debug(59): Sending alert: Alert Warning: close notify

ssl_debug(59): Read 0 bytes in 0 records, 0 bytes net, 0 average.

ssl_debug(59): Wrote 0 bytes in 0 records, 0 bytes net, 0 average.

ssl_debug(59): Closing transport...

ssl_debug(59): Closing transport...

End

IAIK Debug.

ERROR: The issuer of the certificate #0 doesn't match the subject of certificate #1

ERROR: The issuer of the certificate #1 doesn't match the subject of certificate #2