Forum Discussion

mikegray_198028's avatar
Oct 11, 2016

certificate signature failure

Hello, Any idea about the below error, when we enable client authentication on particular client ssl profile, we are facing this error but the same bundle is working with other profiles

warning tmm[8931]: 01260009:4: Connection error: ssl_shim_vfycerterr:4403: certificate signature failure (42)

3 Replies

  • Certificate signature is a function of the signature algorithm indicated in the certificate itself, and is usually either SHA (SHA-1) or some other version of SHA (SHA-256, SHA-384, SHA-512).

     

    1. Can you tell which signature algorithm is indicated in the failing client certificate?

       

    2. Have you modified the ciphers in the client SSL profile?

       

    3. Have you modified the CA bundle in the client SSL profile?

       

  • Which version of TMOS are you running on your BIG-IP? Have you tried using this solution article on Askf5 to troubleshoot client authentication? https://support.f5.com/kb/en-us/solutions/public/14000/800/sol14819.html

     

    Error code 42 is listed as bad_certificate:The certificate was corrupt or contained signatures that could not be correctly verified. This alert can occur if the client certificate was signed by a different CA than the one specified in the SSL profile.

     

  • As Anthony asked, what TMOS version are you on?

    From the command line, if you type:

    tmp --clientciphers 'DEFAULT:ECDHE_ECDSA'
    

    do you see SHA-256 anywhere in the resulting list?

    You may also want to check the certificate against the bundle manually. If you have access to the cert, try this:

    openssl verify -verbose -CAfile [cert-bundle.pem] [client-cert.crt]