Policy Server backend CA Directory Session Store over SSL reports error : "SSL3 alert read: fatal: bad certificate"

Document ID : KB000008006
Last Modified Date : 14/02/2018
Show Technical Document Details

We are running Policy Server, when this one tries to connect to the backend CA Directory Session Store over SSL, it fails. The CA Directory

Session Store reports error :


! [5] Accepting call from TCP 

! [0] Accepting call from TCP 

! [3] STATE: SSL3 alert read: fatal: bad certificate 

! [3] STATE: SSL_accept: failed in SSLv3 read client certificate A 

? [3] 20170831.115804.432 WARN : SSL Error 

? [3] 20170831.115804.432 WARN : 7fffcc0180c8- 15030300 02022a ......* 

? [3] 20170831.115804.432 WARN : 3:error:14094412:SSL routines:ssl3_read_bytes: 

sslv3 alert bad certificate:s3_pkt.c:1487:SSL alert number 42 

3:error:140940E5:SSL routines:ssl3_read_bytes:ssl handshake failure:s3_pkt.c:1210: 

? [3] 20170831.115804.432 WARN : ssld_ssl_request failed 

? [3] 20170831.115804.432 WARN : TLS/SSL handshake failed for call from 

? [3] 20170831.115804.433 WARN : comms_recv: Connection reset by peer 

! [3] Call closed 12 


How can we solve that ?

Policy Server 12.7 on RedHat 7; CA Directory 12.6.02;

The same CA Directory server handles 3 instances of LDAP server : 1 Policy Store, 1 Key Store and 1 Session Store. Certificates defined at CA Directory level are self signed certificates, and some have the same serial number which is causing a conflict on the client side (Policy Server)


To solve the issue, you need to sign with a CA the certificate from each instance by doing the following : 


• Stop Policy Server

• Stop all CA Directory DSA instances (dxserver stop all)

• Remove all bad certificates (.pem files) in folder <CA-DIR>/ssld/personalities 

• Execute the command dxcergen report to be sure there is no certificate for Policy Store, Key Store and Session Store 

• Create new cert request for each DSA: Policy Store, Key Store, Session Store using the command: dxcertgen -D <dsaname> certreq

• Sign the CSR with the your CA and merge the new certificates

• Start all DSA instances (dxserver start all)

• Start Policy Server and verify the correct connection to Policy Store, Key Store and Session Store