HandShake TLS- Certificate Unknown

Question

I have added the necessary certificates to communicate a web service by TLS, both the client and the server added the certificates to the keystore, but in the handshake, certificate unknown is returned.

SSL Conversation:

Is initial handshake: true
....
*** ClientHello, TLSv1
*** ServerHello, TLSv1

*** Certificate chain
[ chain [0] = [
[
  Version: V3
  Subject: CN=certificate_server, OU=163831, O=groupc Inc., C=US
  Signature Algorithm: SHA1withRSA, OID = 1.2.840.113549.1.1.5

  Key:  IBMJCE RSA Public Key:
modulus:
... more data
public exponent:
65537

  Validity: [From: Mon Apr 03 10:43:20 CDT 2017,
               To: Wed Apr 03 09:43:20 CST 2019]
  Issuer: CN=Internal DeviceCA Untrusted, DC=nsroot, DC=net
  SerialNumber: [110855813xxxxxxxxxxxxxxx]
Certificate Extensions: 10


Found trusted certificate:

 *** CertificateRequest
 Cert Types: RSA, DSS
 Cert Authorities:
 ....

 *** ServerHelloDone

 ** Certificate chain
[  O chain [0] = [
[
  Version: V3
  Subject: CN=certificateClient, OU=55552, O=groupc Inc., C=US
  Signature Algorithm: SHA256withRSA, OID = 1.2.840.113549.1.1.11

  Key:  IBMJCE RSA Public Key:
modulus:
.... more data
public exponent:
65537

  Validity: [From: Tue Aug 08 16:26:27 CDT 2017,
               To: Thu Aug 08 16:26:27 CDT 2019]
  Issuer: CN=Device CA1 G2 DEV, O=groupc Inc., C=US
  SerialNumber: [23415xxxxxxxxxxxxxxxxxxxxxxx]

Certificate Extensions: 10

*** CertificateVerify

*** Finished
 verify_data:  { 101, 203, 80, 212, 246, 137, 144, 225, 31, 134, 63, 46 }
 ***

 READ: TLSv1 Alert, length = 2
 3, RECV TLSv1 ALERT:  fatal, certificate_unknown
 3 fatal: engine already closed.  Rethrowing javax.net.ssl.SSLException: Received fatal alert: certificate_unknown

And list the keystore to see the keys and are the required, in the server are also the certificates.

Is there a way to know which certificate is unknown? or compare the courted string between the client and the server?

this appears to be a Java programming question - I would migrate to SO, but I do not think that you do not include enough data to perform troubleshooting — schroeder, Oct 13 '17 at 08:06

score 4 · Accepted Answer · answered Oct 13 '17 at 04:51

It looks like that the debug output is made on the client side. In this case

3, RECV TLSv1 ALERT:  fatal, certificate_unknown

means that the client received an TLS alert from the server which means that the server did not like the certificate the client has send, i.e. the client certificate:

Validity: [From: Tue Aug 08 16:26:27 CDT 2017,
           To: Thu Aug 08 16:26:27 CDT 2019]
Issuer: CN=Device CA1 G2 DEV, O=groupc Inc., C=US
SerialNumber: [23415xxxxxxxxxxxxxxxxxxxxxxx]

But, the neither the debug output nor any packet capture contains information on why the server did not like the certificate. The TLS alert only contains the information certificate_unknown only without any details.

It might be that it was not issued by a CA trusted by the server for client certificate validation, that intermediate CA's are missing, that the subject is wrong etc. Maybe you can get more information about this at some logs at the server side.

Thanks a lot I'll rebuild the output n the server and look for more details of the error, I comment later on what is found — Ventur, Oct 13 '17 at 12:31
I have the same issue. @Ventur Can you guid me to solve this? — NIrav Modi, Jan 07 '20 at 08:44

HandShake TLS- Certificate Unknown

1 Answers1