Loading

How to Verify Self-Signed Client Certificate in Two-Way Authentication

Data pubblicazione: Mar 2, 2024
Operazione

GOAL

As introduced in this KB (Knowledge Base), it's ok to use a self-signed certificate as client certificate in two-way authentication of DLB. However, it returns an error in some circumstances.  
400 Bad Request
The SSL certificate error
The backend will have a log entry like this (MuleSoft support can access the log) 
client SSL certificate verify error: 
(21:unable to verify the first certificate) while reading client request headers

To make sure the self-signed certificate is working as expected. Please follow the steps in "PROCEDURE" to verify the certificate. 

Fasi
1. Create your self-signed certificate
2. Verify the certificate with the command "openssl verify -CAfile <self-signed certificate> <self-signed certificate> "
a. If you see "OK", it means the certificate is good. You can proceed to make the client certificate file 
default_ss.crt: OK
b. if you see the error as below, there're some issues in the certificate. It will cause the "The SSL certificate error" in DLB. Please fix this issue before making the client certificate file 
error 20 at 0 depth lookup:unable to get local issuer certificate
The reason of failure varies. Usually, it's something to do with the "x509_extensions". For example, the "Key Usage" may fail the verification. The "x509_extensions" comes from the "openssl.cnf" if using openssl to generate the self-signed key pairs, which is the most common case. Please check your "openssl.cnf" file and fix it accordingly.  
X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment

 
 
Numero articolo Knowledge

001114564

 
Caricamento
Salesforce Help | Article