Unable to Get Local Issuer Certificate

14 users found this article helpful

Symptoms

When a certificate is issued through an intermediate CA, the following error may sometimes be returned:

Resolution

This behavior can be encountered when a connection is established against RAS Secure Client Gateway.

A way around this is to include the certificate information for the Intermediate CA with the domain certificate so that both are verified. This can be done as follows:

  1. Have a copy of the Domain Certificate in base-64 encoded X.509 (.CER) format.

Opening the certificate in Wordpad will show the certificate which starts and ends with the following tags:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

The certificate can be opened and viewed in Windows. By default, Windows opens the file using the Crypto Shell Extensions.

  1. Open the commercial certificate in Windows and switch to the Certification Path tab.

  2. Select the Intermediate CA and select View Certificate.

    alttext
  3. The intermediate CA will be available and can be exported in base-64 encoded X.509 (.CER) format from the Details tab > Copy To File.

    alttext

    Opening the exported .cer file for the Intermediate CA in notepad will also show the following tags for the Intermediate CA certificate:

     -----BEGIN CERTIFICATE-----
     -----END CERTIFICATE-----
    
  4. As a fix, one would need to put the Intermediate CA information in the domain certificate issued in notepad.

In notepad the certificate would have the following structure:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

The top tag would pertain to the domain certificate, where as the bottom one would contain the Intermediate CA one.

Importing this new modified certificate alongside your private key in your RAS Secure Client Gateway will address this behavior.

NOTE: The Root CA does not require this operation as all supported Root CAs are listed in the trusted.pem files available on Client Installations as well as within the Remote Application Server installation directory.

Was this article helpful?

Tell us how we can improve it.