3rd party signed certs when used with CA Directory fails with SSL verify error 20

Document ID : KB000009721
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

3rd party signed certs when used with CA Directory fails with SSL verify error 20.

Background:

When using 3rd party signed certs for CA Directory DSA, you may see the following messages reported in WARN log.

 

WARN : ssld_ssl_request failed

WARN : Verify error 20: unable to get local issuer certificate

WARN : SSL Error

WARN : 140:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:982:

 

OR

 

WARN : ssld_ssl_request failed 

WARN : Verify error 20: unable to get local issuer certificate 

WARN : SSL Error 

WARN : 160:error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1185:

Environment:
CA Directory r12.0 SPx / r12.5 SPx
Instructions:

Make sure you have imported the root certificate that is created by another Certificate Authority (CA) within the 'DXHOME\config\ssld\trusted.pem' of CA Directory so that the DXserver trusts the cert.

You can either copy/paste OR utilize 'importca' option with 'dxcertgen' command line tool that is provided wit CA Directory product.

More at:

https://docops.ca.com/docops.ca.com/ca-directory/12-5/EN/administrating/tools-to-manage-ca-directory/dxtools/dxcertgen-tool-generate-and-work-with-certificates