SSL Proxy might fail with " Failed to create authority key identifier extension " and " unable to get issuer keyid " after upgrading to SGOS 6.3 and above

Solution

Overview

SSL Proxy might fail after upgrading to SGOS 6.3, 6.4 and 6.5. The following are logged in the Event Log :

- Failed to create authority key identifier extension

- unable to get issuer keyid

 

Cause
Resolution

SGOS 6.3, 6.4 and 6.5 code has been tightened to ensure that ssl.forward_proxy.issuer_keyring is indeed a CA. When SSL Proxy does a check for these extensions and finds them missing, interception fails. This does not mean that you cannot use a self-signed certificate for SSL interception.

To address the problem :

1. Create a new Certificate Signing Request (000008819)

2. Sign the CSR with your Certificate Authority

3. Import the new Certificate into your list of CA (000011775)

Note: It is important that the new certificate you are using for interception holds the following extensions:

        X509v3 extensions:
            X509v3 Subject Key Identifier:
            X509v3 Authority Key Identifier:

 If you are using XCA (http://xca.sourceforge.net/) to sign your certificate, these extensions can be found under 'Extensions --> Key Identifier'

 

Note:   If new Keyring was created in this process, you need to change the  SSL Proxy Issuer Keyring to the new Keyring.   This can be achieved by going to Management Console GUI - Configuration - Proxy Settings - SSL Proxy - Issuer Keyring.

Workaround
Additional Information
Bug Number
InQuira Doc IdKB5051
Attachment

Article Feedback

Did this Article solve your issue?
Additional Comments:
 
Previous MonthNext Month
SunMonTueWedThuFriSat