000022107 - Browsers unable to verify certificate chain

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022107
Applies ToSentry Certificate Authority (CA)
Sentry Registration Authority (RA)
Keon Certificate Authority
Keon Registration Authority
Microsoft Internet Explorer
Netscape Navigator
TechNote 0262
IssueBrowsers unable to verify certificate chain
This problem occurs when you have vetted and issued an end-entity cert with v3 extensions of which one of them is the Authority Key Identifier (AKI).  You have downloaded the CA cert into your browser and trusted it.  
You tried to verify the chain between the two certs and the browsers display the following error:
- "Unable to Find Certificate Authority" message (for Netscape Navigator) or
- displays an exclamation mark on the issuing CA's cert and displays "The issuer of this certificate was not able to be found" message for the Certificate status (for Microsoft Internet Explorer).
CauseThe problem is that the CA cert is missing an extension, namely the Subject Key Identifier (SKI).  Because Sentry/Keon CA is built according to the RFC standards, it is defined in RFC 2459 that the SKI extension must be used in all conforming CA certs to facilitate chain building (section 4.2.1.2).  The AKI must also be included in all certs that are generated by the conforming CAs to facilitate chain building (section 4.2.1.1).  The URL to this RFC is:  http://www.ietf.org/rfc/rfc2459.txt?number=2459
ResolutionThe solution is to either resign the CA cert using the Resigning function in Sentry/Keon CA and specify the correct extension, Subject Key Identifier, as part of a new extension.  Delete the old CA cert from the browsers and reload the new CA cert into the browser.  You will receive a cert successfully verified message from the browsers.
Legacy Article IDa3170

Attachments

    Outcomes