Symantec Access Management

 View Only
  • 1.  Proxy Services to IIS using SAN Certificates

    Posted Jun 02, 2016 02:23 PM

    We are having issues with providing proxy services to IIS when IIS is using a SAN certificate.  Using Openssl to troubleshoot the issue via "openssl s_client -connect URL:443" we are getting a specific error message of "verify return code: 20 (unable to get local issuer certificate.)  We have verified, via multiple ways, that the IIS certificate, intermediate and root certificate are all included in our ca-bundle in the correct format.

     

    As a test, we have setup a SAN certificate on an IHS server and are able to process.  What we seem to see in IIS is, it can read the certificate and identify the intermediate and root.  But, it is not processing the intermediate and stops at that point.

     

    Thanks,



  • 2.  Re: Proxy Services to IIS using SAN Certificates

    Broadcom Employee
    Posted Jun 05, 2016 04:09 PM

    Hi mdeeley,

     

    In your post you listed the port as 433, is this a typo and you meant 443?

     

    Also, are you thinking this is a CA SSO issue? If so would need more information on your current setup as well as the output of openssl x509 -in iiscert.crt -noout -text

     

    to see better how your SAN was created.

     

    thanks,

    Adam



  • 3.  Re: Proxy Services to IIS using SAN Certificates

    Posted Jun 06, 2016 07:16 AM

    You are correct, it's 443.  I would not classify this as a SSO issue.  It is more of an issue with OpenSSL that is bundled in the CA SiteMinder Secure Proxy Server.

     

    I don't really have an example of the certificate request but, it is a standard SAN certificate with a CN name entry and additional Subject Alternative names.  There is a root and intermediate certificate that is issued with the certificate.