Solutions

SSL Proxy might fail with " Failed to create authority key identifier extension " and " unable to get issuer keyid " after upgrading to SGOS 6.3 and above

Solutions ID:    KB5051
Version:    7.0
Status:    Published
Published date:    04/04/2012
Updated:    03/30/2014
 

Problem Description

SSL Proxy might fail after upgrading to SGOS 6.3, 6.4 and 6.5. The following are logged in the Event Log :

- Failed to create authority key identifier extension

- unable to get issuer keyid

 

Resolution

SGOS 6.3, 6.4 and 6.5 code has been tightened to ensure that ssl.forward_proxy.issuer_keyring is indeed a CA. When SSL Proxy does a check for these extensions and finds them missing, interception fails. This does not mean that you cannot use a self-signed certificate for SSL interception.

To address the problem :

1. Create a new Certificate Signing Request (KB1306)

2. Sign the CSR with your Certificate Authority

3. Import the new Certificate into your list of CA (KB4609)

Note: It is important that the new certificate you are using for interception holds the following extensions:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

 If you are using XCA (http://xca.sourceforge.net/) to sign your certificate, these extensions can be found under 'Extensions --> Key Identifier'

 

Note:   If new Keyring was created in this process, you need to change the  SSL Proxy Issuer Keyring to the new Keyring.   This can be achieved by going to Management Console GUI - Configuration - Proxy Settings - SSL Proxy - Issuer Keyring.


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
 
 
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.
 
 

Your response will be used to improve our document content.

Ask a Question