05-10-2012 06:17 PM
We have a MAG-SM160 version 7.1R1
I installed a commercial certificate from RapidSSL and associated it with the external cluster address. Firefox is happy. But when I connect with Junos Pulse, it gives a security alert saying that the site is untrusted.
I can make the warning go away by installing the RapidSSL certificate in the Java keystore on the client, in addition to the preinstalled Global Trust CA parent certificate.
This isn't a good solution forexternal users. Is this a known problem with Oracle Java, that I need to get a non-chained certificate instead ?
Solved! Go to Solution.
05-10-2012 07:50 PM
I think - KB22625 should help you on this as I believe you must be seeing the same problem.
Please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks
05-11-2012 10:40 AM
No, that is a different issue, where the client is using a certificate for authentication.
The issue I have is "cosmetic" only - the user can click "always trust this certificate". As a security officer I deprecate that, and besides, it's annoying to have paid for a commercial certificate that offers no advanatage over a free one from our own CA.
05-11-2012 12:41 PM
It sounds like the intermediate files were not installed correctly on the web server. Since Firefox has a separate certificate store, it may be possible the intermediate already exist or could be validating a different chain which is missing from the Windows certificate store.
Could you provide the url where the ssl certificate is installed? I can run a few tests.
05-11-2012 01:25 PM
I don't quite follow you.
I generated a CSR on the MAG, then sent that to RapidSSL. They provided a certificate, which I imported into the MAG (which is a webserver now with a key and a certificate).
In both Firefox and Java on the client computer, the Global Trust CA root certificate is installed by default as a trusted authority. In Firefox, that is sufficient to validate the MAG webserver. In Junos Pulse, using the Java SSL library, it is not. I have to manually install, on each client system, the intermediate RapidSSL certificate into the Java keystore.
If you mean can I give you the URL to our MAG appliance, yes, but I would rather not do so on a public forum.
Is there a private message ability in these forums ? Else I'll just give my email.
05-11-2012 02:15 PM
I believe that is the step you are missing then. You need to install the intermediate ca to the SA or MAG after installing the ssl certificate you received from RapidSSL. If they are missing from the SA, it will assume the browser has all of the certificate needed to validate the certificate chain.
If you click on the mail icon at the top, you can compose an email to me or you can send it directly to firstname.lastname@example.org.
05-11-2012 05:01 PM
I think that's nailed it, thanks. Hard to tell as I need to manually remove the RapidSSL cert from the Java keystore
and then reconnect, which is like proving a negative. I should try from a different fresh client.
I will mark this as resolved, in any case.
For the benefit of anyone else reading this thread, the solution seems to be to download the RapidSSL certificate bundle from https://knowledge.rapidssl.com/library/VERISIGN/AL
05-21-2012 08:23 PM
thank you for the information on another SSL certifucate vendor that requires custom intermediary upload (VeriSign has been known as tiered environment for some time; i think thawte as well)