ITS#8626 : TLS trace: SSL3 alert write:fatal:certificate unknown - openldap-bugs

30 Mar 2017


      --_000_15687A439BFEE848B596FFB9FB92A77B627F577AMX101CL01corpem_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
HI
We are using Openldap 2.4.33 (Linux 64 bit  built with RSA MES 3.2.4.3 ) in=
 our application for LDAP synchronization.
We have a customer case where the customer is using a certificate chain. Th=
ey have converted the root and intermediate certificates into pem and are u=
sing the pem to connect to the lDAP server.
We are getting the below error :
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS trace: SSL_connect:SSLv3 process tls extension
TLS trace: SSL_connect:SSL3 post/by-pass tls extension processing
TLS trace: SSL_connect:SSLv3 read server certificate A
TLS certificate verification: depth: 0, err: 0, subject: /CN=3DITSUSRANADC5=
5.na.jnj.com, issuer: /DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA C2
TLS certificate verification: depth: 1, err: 0, subject: /DC=3Dcom/DC=3Djnj=
/CN=3DJNJ Internal Online CA C2, issuer: /DC=3DCOM/DC=3DJNJ/CN=3DJNJ Intern=
al Root Certification Authority
TLS certificate verification: depth: 2, err: 0, subject: /DC=3DCOM/DC=3DJNJ=
/CN=3DJNJ Internal Root Certification Authority, issuer: /DC=3DCOM/DC=3DJNJ=
/CN=3DJNJ Internal Root Certification Authority
TLS trace: SSL3 alert write:fatal:certificate unknown
TLS trace: SSL_connect:error in SSL3 certificate verify A
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE=
:certificate verify failed (ok).
After Calling ldap_int_open_connection rc =3D 0
LDAP_SERVER_DOWN
The same certificate (pem) connects perfectly with openssl commands.
[dmfs4adm@itsusral00157 ldapdb]$ openssl s_client -CAfile /dmfs4/apps/docum=
entum/dba/secure/ldapdb/INT-PROD-Root-Intermedia_0320.pem -connect ITSUSRAN=
ADC41.na.j nj.com:3269
CONNECTED(00000003)
depth=3D2 DC =3D COM, DC =3D JNJ, CN =3D JNJ Internal Root Certification Au=
thority
verify return:1
depth=3D1 DC =3D com, DC =3D jnj, CN =3D JNJ Internal Online CA A2
verify return:1
depth=3D0 CN =3D ITSUSRANADC41.na.jnj.com
verify return:1
-
Certificate chain
0 s:/CN=3DITSUSRANADC41.na.jnj.com
i:/DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA A2
1 s:/DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA A2
i:/DC=3DCOM/DC=3DJNJ/CN=3DJNJ Internal Root Certification Authority
-
Server certificate
----BEGIN CERTIFICATE----
MIIG0zCCBbugAwIBAgIKNPjZjAAAANPqDjANBgkqhkiG9w0BAQUFADBOMRMwEQYK
CZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDam5qMSIwIAYDVQQDExlK
TkogSW50ZXJuYWwgT25saW5lIENBIEEyMB4XDTE2MDkwNjIzMTI0M1oXDTE3MDkw
NjIzMTI0M1owIzEhMB8GA1UEAxMYSVRTVVNSQU5BREM0MS5uYS5qbmouY29tMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlmJd7MNGtotF5zXbWJdSaezG
LDk1ty98yceBIDz6P1JIYAP84QtEMA+xO3GW7Y+oPjBtMjoEd7P1gLmCVxC9zf69
GNOgYjMsjo4QbynPcgcxMGnpwj8yHQVPLkRe7Do2qpfDz3jhVRT7cJ+u3xu+z66x
/JbhCrySeekqL9O6O96YpqMFi+897Lgg9QPphjgrvrD5VmxHfH0V7p7sc/DcIufJ
Ifjj7DGotaffcc90VZxj+vQd1iO5AchaDkIUiPLES9AsbcXei8Fau6pcFKpQBh5l
fynm73EU01FP+RN//6WpyoIVXVc5uTE9ua7q+O2nGb46FnKlegGpI3iJCh5NJwID
AQABo4ID3DCCA9gwOwYJKwYBBAGCNxUHBC4wLAYkKwYBBAGCNxUIgtGfI5rtGIad
nTSHnpIqh8HUUmmEo+JQuZUUAgFkAgEFMDMGA1UdJQQsMCoGCCsGAQUFCAICBgor
BgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMBgG
A1UdIAQRMA8wDQYLYIZIAYb4AgMCAQowQQYJKwYBBAGCNxUKBDQwMjAKBggrBgEF
BQgCAjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUFBwMCMIGjBgNV
HREEgZswgZiCGElUU1VTUkFOQURDNDEubmEuam5qLmNvbYIKbmEuam5qLmNvbYIN
bmFkaXIuam5qLmNvbYITbmFsZWdhY3lkaXIuam5qLmNvbYITbmFuZXh0b3NkaXIu
am5qLmNvbYIQbmFpY2VkaXIuam5qLmNvbYIUbmFzcGVjaWFsZGlyLmpuai5jb22C
D25hZndkaXIuam5qLmNvbTAdBgNVHQ4EFgQU11fVbuyGZpo8ApfMelvW1TFrH3ow
HwYDVR0jBBgwFoAUhlNccpOupTSpisgGUUr+XzVQOeEwggEJBgNVHR8EggEAMIH9
MIH6oIH3oIH0hoHKbGRhcDovLy9DTj1KTkolMjBJbnRlcm5hbCUyME9ubGluZSUy
MENBJTIwQTIsQ049SVRTVVNSQUpOSkNBMyxDTj1DRFAsQ049UHVibGljJTIwS2V5
JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1qbmos
REM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9vYmplY3RDbGFz
cz1jUkxEaXN0cmlidXRpb25Qb2ludIYlaHR0cDovL2ludHByb2Rjcmwuam5qLmNv
bS9pbnRjYWEyLmNybDCCAQIGCCsGAQUFBwEBBIH1MIHyMIG8BggrBgEFBQcwAoaB
r2xkYXA6Ly8vQ049Sk5KJTIwSW50ZXJuYWwlMjBPbmxpbmUlMjBDQSUyMEEyLENO
PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2aWNlcyxDTj1D
b25maWd1cmF0aW9uLERDPWpuaixEQz1jb20/Y0FDZXJ0aWZpY2F0ZT9iYXNlP29i
amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwMQYIKwYBBQUHMAKGJWh0
dHA6Ly9pbnRwcm9kcGtpLmpuai5jb20vaW50Y2FhMi5wN2MwDQYJKoZIhvcNAQEF
BQADggEBAE1hMzal6XiA0Rz1zsTlqAvZiXJg9urK/FcoeL4kiSGCVXQFPYZPRRG7
cwVBTkqABfNvTr2L7WTr2wqZL25HjY4hphK97I4BvCydpQLCEYPiSatY8kFN8Mpu
rDTqNlzTEKt7qId9yDrsKmOI+Gs3hHrWPri1fdOeSlkwIUN5gKCwdH/h44LYU8Z5
4tSjWAkh0hkOU0pija45i7tkBzTholXoOEmAmv7G9UlhLuk950yLzu58yW4aBda1
rev0YtUsKjpfSbTWRwcxeYhspcEq2oGYsWD47wLxQJXHUiRWcXyYuOKiQiu4gjZ7
hS9/xvPvJ3zvxHoI7qF4A8VBgF8c4lQ=3D
----END CERTIFICATE----
subject=3D/CN=3DITSUSRANADC41.na.jnj.com
issuer=3D/DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA A2
-
Acceptable client certificate CA names
/CN=3DITSUSRANADC41.na.jnj.com
/C=3DSE/O=3DAddTrust AB/OU=3DAddTrust External TTP Network/CN=3DAddTrust Ex=
ternal CA Roo t
/C=3DUS/O=3DJNJ/OU=3DJNJ Public Key Authorities/CN=3DJNJ 2048bit Root Certi=
fication Auth ority
/C=3DUS/O=3DJNJ/OU=3DJNJ Public Key Authorities/CN=3DJNJ Root Certification=
 Authority
/DC=3DCOM/DC=3DJNJ/CN=3DJNJ Internal Root Certification Authority
/C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3D(c) 2008 VeriSi=
gn, Inc. - Fo r authorized use only/CN=3DVeriSign Universal Root Certificat=
ion Authority
/C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Network/OU=3D(c) 2006 VeriSi=
gn, Inc. - Fo r authorized use only/CN=3DVeriSign Class 3 Public Primary Ce=
rtification Authority - G5
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary Certification Author=
ity
/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Primary Certification Author=
ity - G2/OU =3D(c) 1998 VeriSign, Inc. - For authorized use only/OU=3DVeriS=
ign Trust Network
/C=3DUS/ST=3DWashington/L=3DRedmond/O=3DMicrosoft Corporation/CN=3DMicrosof=
t Root Certific ate Authority 2011
/C=3DUS/O=3DGTE Corporation/OU=3DGTE CyberTrust Solutions, Inc./CN=3DGTE Cy=
berTrust Glob al Root
/C=3DIE/O=3DBaltimore/OU=3DCyberTrust/CN=3DBaltimore CyberTrust Root
/C=3DUS/ST=3DWashington/L=3DRedmond/O=3DMicrosoft Corporation/CN=3DMicrosof=
t Root Certific ate Authority 2010
/O=3DSymantec Corporation/CN=3DSymantec Root CA
/OU=3DCopyright (c) 1997 Microsoft Corp./OU=3DMicrosoft Corporation/CN=3DMi=
crosoft Roo t Authority
/C=3DUS/O=3DSymantec Corporation/CN=3DSymantec Root 2005 CA
/DC=3Dcom/DC=3Dmicrosoft/CN=3DMicrosoft Root Certificate Authority
/CN=3DNT AUTHORITY
-
SSL handshake has read 5700 bytes and written 619 bytes
-
New, TLSv1/SSLv3, Cipher is AES128-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : AES128-SHA256
Session-ID: 743C00003D9B50EAA53C45E670C3E9682DBE86BA873CEA5B35BFB16B7CE5A62=
5
Session-ID-ctx:
Master-Key: 0DB1DB6C4E9B3BE57E6E3A38B3A68EACAF96A78650EA978B4A8860B35BBDCCB=
4 61DA777F8C0D83ED53CCFE82748D3F86
Key-Arg : None
Krb5 Principal: None
PSK identity: None
PSK identity hint: None
Start Time: 1490103903
Timeout : 300 (sec)
Verify return code: 0 (ok)
-
Could you let us know what we could be missing here?
The pem contains certificates JNJ Internal Root Certification Authority and=
 CN=3DJNJ Internal Online CA C2 .Are we missing  anything here?
Any help would be greatly appreciated.
Thanks
Anitha
--_000_15687A439BFEE848B596FFB9FB92A77B627F577AMX101CL01corpem_
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
<html xmlns:v=3D"urn:schemas-microsoft-com:vml" xmlns:o=3D"urn:schemas-micr=
osoft-com:office:office" xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:m=3D"http://schemas.microsoft.com/office/2004/12/omml" xmlns=3D"http:=
//www.w3.org/TR/REC-html40">
<head>
<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dus-ascii"=
...
<meta name=3D"Generator" content=3D"Microsoft Word 14 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
    {font-family:Calibri;
    panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
    {margin:0in;
    margin-bottom:.0001pt;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";}
a:link, span.MsoHyperlink
    {mso-style-priority:99;
    color:blue;
    text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
    {mso-style-priority:99;
    color:purple;
    text-decoration:underline;}
span.EmailStyle17
    {mso-style-type:personal-compose;
    font-family:"Calibri","sans-serif";
    color:windowtext;}
.MsoChpDefault
    {mso-style-type:export-only;
    font-family:"Calibri","sans-serif";}
@page WordSection1
    {size:8.5in 11.0in;
    margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
    {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext=3D"edit" spidmax=3D"1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext=3D"edit">
<o:idmap v:ext=3D"edit" data=3D"1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang=3D"EN-US" link=3D"blue" vlink=3D"purple">
<div class=3D"WordSection1">
<p class=3D"MsoNormal">HI<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">We are using Openldap 2.4.33 (Linux 64 bit&nbsp; bui=
lt with RSA MES 3.2.4.3 ) in our application for LDAP synchronization.<o:p>=
</o:p></p>
<p class=3D"MsoNormal">We have a customer case where the customer is using =
a certificate chain. They have converted the root and intermediate certific=
ates into pem and are using the pem to connect to the lDAP server.<o:p></o:=
p></p>
<p class=3D"MsoNormal">We are getting the below error :<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">TLS trace: SSL_connect:before/connect initialization=
<o:p></o:p></p>
<p class=3D"MsoNormal">TLS trace: SSL_connect:SSLv3 write client hello A<o:=
p></o:p></p>
<p class=3D"MsoNormal">TLS trace: SSL_connect:SSLv3 read server hello A<o:p=
...
</o:p></p>
<p class=3D"MsoNormal">TLS trace: SSL_connect:SSLv3 process tls extension<o=
:p></o:p></p>
<p class=3D"MsoNormal">TLS trace: SSL_connect:SSL3 post/by-pass tls extensi=
on processing<o:p></o:p></p>
<p class=3D"MsoNormal">TLS trace: SSL_connect:SSLv3 read server certificate=
 A<o:p></o:p></p>
<p class=3D"MsoNormal">TLS certificate verification: depth: 0, err: 0, subj=
ect: /CN=3DITSUSRANADC55.na.jnj.com, issuer: /DC=3Dcom/DC=3Djnj/CN=3DJNJ In=
ternal Online CA C2<o:p></o:p></p>
<p class=3D"MsoNormal">TLS certificate verification: depth: 1, err: 0, subj=
ect: /DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA C2, issuer: /DC=3DCOM/D=
C=3DJNJ/CN=3DJNJ Internal Root Certification Authority<o:p></o:p></p>
<p class=3D"MsoNormal">TLS certificate verification: depth: 2, err: 0, subj=
ect: /DC=3DCOM/DC=3DJNJ/CN=3DJNJ Internal Root Certification Authority, iss=
uer: /DC=3DCOM/DC=3DJNJ/CN=3DJNJ Internal Root Certification Authority<o:p>=
</o:p></p>
<p class=3D"MsoNormal"><span style=3D"background:yellow;mso-highlight:yello=
w">TLS trace: SSL3 alert write:fatal:certificate unknown<o:p></o:p></span><=
/p>
<p class=3D"MsoNormal"><span style=3D"background:yellow;mso-highlight:yello=
w">TLS trace: SSL_connect:error in SSL3 certificate verify A<o:p></o:p></sp=
an></p>
<p class=3D"MsoNormal"><span style=3D"background:yellow;mso-highlight:yello=
w">TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFIC=
ATE:certificate verify failed (ok).</span><o:p></o:p></p>
<p class=3D"MsoNormal">After Calling ldap_int_open_connection rc =3D 0<o:p>=
</o:p></p>
<p class=3D"MsoNormal">LDAP_SERVER_DOWN<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">The same certificate (pem) connects perfectly with o=
penssl commands.<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">[dmfs4adm@itsusral00157 ldapdb<span style=3D"backgro=
und:yellow;mso-highlight:yellow">]$ openssl s_client -CAfile /dmfs4/apps/do=
cumentum/dba/secure/ldapdb/INT-PROD-Root-Intermedia_0320.pem -connect ITSUS=
RANADC41.na.j nj.com:3269</span><o:p></o:p></p>
<p class=3D"MsoNormal">CONNECTED(00000003)<o:p></o:p></p>
<p class=3D"MsoNormal">depth=3D2 DC =3D COM, DC =3D JNJ, CN =3D JNJ Interna=
l Root Certification Authority<o:p></o:p></p>
<p class=3D"MsoNormal">verify return:1<o:p></o:p></p>
<p class=3D"MsoNormal">depth=3D1 DC =3D com, DC =3D jnj, CN =3D JNJ Interna=
l Online CA A2<o:p></o:p></p>
<p class=3D"MsoNormal">verify return:1<o:p></o:p></p>
<p class=3D"MsoNormal">depth=3D0 CN =3D ITSUSRANADC41.na.jnj.com<o:p></o:p>=
</p>
<p class=3D"MsoNormal">verify return:1<o:p></o:p></p>
<p class=3D"MsoNormal">&#8212;<o:p></o:p></p>
<p class=3D"MsoNormal">Certificate chain<o:p></o:p></p>
<p class=3D"MsoNormal">0 s:/CN=3DITSUSRANADC41.na.jnj.com<o:p></o:p></p>
<p class=3D"MsoNormal">i:/DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA A2<=
o:p></o:p></p>
<p class=3D"MsoNormal">1 s:/DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online CA A=
2<o:p></o:p></p>
<p class=3D"MsoNormal">i:/DC=3DCOM/DC=3DJNJ/CN=3DJNJ Internal Root Certific=
ation Authority<o:p></o:p></p>
<p class=3D"MsoNormal">&#8212;<o:p></o:p></p>
<p class=3D"MsoNormal">Server certificate<o:p></o:p></p>
<p class=3D"MsoNormal">----BEGIN CERTIFICATE----<o:p></o:p></p>
<p class=3D"MsoNormal">MIIG0zCCBbugAwIBAgIKNPjZjAAAANPqDjANBgkqhkiG9w0BAQUF=
ADBOMRMwEQYK<o:p></o:p></p>
<p class=3D"MsoNormal">CZImiZPyLGQBGRYDY29tMRMwEQYKCZImiZPyLGQBGRYDam5qMSIw=
IAYDVQQDExlK<o:p></o:p></p>
<p class=3D"MsoNormal">TkogSW50ZXJuYWwgT25saW5lIENBIEEyMB4XDTE2MDkwNjIzMTI0=
M1oXDTE3MDkw<o:p></o:p></p>
<p class=3D"MsoNormal">NjIzMTI0M1owIzEhMB8GA1UEAxMYSVRTVVNSQU5BREM0MS5uYS5q=
bmouY29tMIIB<o:p></o:p></p>
<p class=3D"MsoNormal">IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAlmJd7MNGtotF=
5zXbWJdSaezG<o:p></o:p></p>
<p class=3D"MsoNormal">LDk1ty98yceBIDz6P1JIYAP84QtEMA&#43;xO3GW7Y&#43;oPjBt=
MjoEd7P1gLmCVxC9zf69<o:p></o:p></p>
<p class=3D"MsoNormal">GNOgYjMsjo4QbynPcgcxMGnpwj8yHQVPLkRe7Do2qpfDz3jhVRT7=
cJ&#43;u3xu&#43;z66x<o:p></o:p></p>
<p class=3D"MsoNormal">/JbhCrySeekqL9O6O96YpqMFi&#43;897Lgg9QPphjgrvrD5VmxH=
fH0V7p7sc/DcIufJ<o:p></o:p></p>
<p class=3D"MsoNormal">Ifjj7DGotaffcc90VZxj&#43;vQd1iO5AchaDkIUiPLES9AsbcXe=
i8Fau6pcFKpQBh5l<o:p></o:p></p>
<p class=3D"MsoNormal">fynm73EU01FP&#43;RN//6WpyoIVXVc5uTE9ua7q&#43;O2nGb46=
FnKlegGpI3iJCh5NJwID<o:p></o:p></p>
<p class=3D"MsoNormal">AQABo4ID3DCCA9gwOwYJKwYBBAGCNxUHBC4wLAYkKwYBBAGCNxUI=
gtGfI5rtGIad<o:p></o:p></p>
<p class=3D"MsoNormal">nTSHnpIqh8HUUmmEo&#43;JQuZUUAgFkAgEFMDMGA1UdJQQsMCoG=
CCsGAQUFCAICBgor<o:p></o:p></p>
<p class=3D"MsoNormal">BgEEAYI3FAICBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/=
BAQDAgWgMBgG<o:p></o:p></p>
<p class=3D"MsoNormal">A1UdIAQRMA8wDQYLYIZIAYb4AgMCAQowQQYJKwYBBAGCNxUKBDQw=
MjAKBggrBgEF<o:p></o:p></p>
<p class=3D"MsoNormal">BQgCAjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMBMAoGCCsGAQUF=
BwMCMIGjBgNV<o:p></o:p></p>
<p class=3D"MsoNormal">HREEgZswgZiCGElUU1VTUkFOQURDNDEubmEuam5qLmNvbYIKbmEu=
am5qLmNvbYIN<o:p></o:p></p>
<p class=3D"MsoNormal">bmFkaXIuam5qLmNvbYITbmFsZWdhY3lkaXIuam5qLmNvbYITbmFu=
ZXh0b3NkaXIu<o:p></o:p></p>
<p class=3D"MsoNormal">am5qLmNvbYIQbmFpY2VkaXIuam5qLmNvbYIUbmFzcGVjaWFsZGly=
Lmpuai5jb22C<o:p></o:p></p>
<p class=3D"MsoNormal">D25hZndkaXIuam5qLmNvbTAdBgNVHQ4EFgQU11fVbuyGZpo8ApfM=
elvW1TFrH3ow<o:p></o:p></p>
<p class=3D"MsoNormal">HwYDVR0jBBgwFoAUhlNccpOupTSpisgGUUr&#43;XzVQOeEwggEJ=
BgNVHR8EggEAMIH9<o:p></o:p></p>
<p class=3D"MsoNormal">MIH6oIH3oIH0hoHKbGRhcDovLy9DTj1KTkolMjBJbnRlcm5hbCUy=
ME9ubGluZSUy<o:p></o:p></p>
<p class=3D"MsoNormal">MENBJTIwQTIsQ049SVRTVVNSQUpOSkNBMyxDTj1DRFAsQ049UHVi=
bGljJTIwS2V5<o:p></o:p></p>
<p class=3D"MsoNormal">JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlv=
bixEQz1qbmos<o:p></o:p></p>
<p class=3D"MsoNormal">REM9Y29tP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v=
YmplY3RDbGFz<o:p></o:p></p>
<p class=3D"MsoNormal">cz1jUkxEaXN0cmlidXRpb25Qb2ludIYlaHR0cDovL2ludHByb2Rj=
cmwuam5qLmNv<o:p></o:p></p>
<p class=3D"MsoNormal">bS9pbnRjYWEyLmNybDCCAQIGCCsGAQUFBwEBBIH1MIHyMIG8Bggr=
BgEFBQcwAoaB<o:p></o:p></p>
<p class=3D"MsoNormal">r2xkYXA6Ly8vQ049Sk5KJTIwSW50ZXJuYWwlMjBPbmxpbmUlMjBD=
QSUyMEEyLENO<o:p></o:p></p>
<p class=3D"MsoNormal">PUFJQSxDTj1QdWJsaWMlMjBLZXklMjBTZXJ2aWNlcyxDTj1TZXJ2=
aWNlcyxDTj1D<o:p></o:p></p>
<p class=3D"MsoNormal">b25maWd1cmF0aW9uLERDPWpuaixEQz1jb20/Y0FDZXJ0aWZpY2F0=
ZT9iYXNlP29i<o:p></o:p></p>
<p class=3D"MsoNormal">amVjdENsYXNzPWNlcnRpZmljYXRpb25BdXRob3JpdHkwMQYIKwYB=
BQUHMAKGJWh0<o:p></o:p></p>
<p class=3D"MsoNormal">dHA6Ly9pbnRwcm9kcGtpLmpuai5jb20vaW50Y2FhMi5wN2MwDQYJ=
KoZIhvcNAQEF<o:p></o:p></p>
<p class=3D"MsoNormal">BQADggEBAE1hMzal6XiA0Rz1zsTlqAvZiXJg9urK/FcoeL4kiSGC=
VXQFPYZPRRG7<o:p></o:p></p>
<p class=3D"MsoNormal">cwVBTkqABfNvTr2L7WTr2wqZL25HjY4hphK97I4BvCydpQLCEYPi=
SatY8kFN8Mpu<o:p></o:p></p>
<p class=3D"MsoNormal">rDTqNlzTEKt7qId9yDrsKmOI&#43;Gs3hHrWPri1fdOeSlkwIUN5=
gKCwdH/h44LYU8Z5<o:p></o:p></p>
<p class=3D"MsoNormal">4tSjWAkh0hkOU0pija45i7tkBzTholXoOEmAmv7G9UlhLuk950yL=
zu58yW4aBda1<o:p></o:p></p>
<p class=3D"MsoNormal">rev0YtUsKjpfSbTWRwcxeYhspcEq2oGYsWD47wLxQJXHUiRWcXyY=
uOKiQiu4gjZ7<o:p></o:p></p>
<p class=3D"MsoNormal">hS9/xvPvJ3zvxHoI7qF4A8VBgF8c4lQ=3D<o:p></o:p></p>
<p class=3D"MsoNormal">----END CERTIFICATE----<o:p></o:p></p>
<p class=3D"MsoNormal">subject=3D/CN=3DITSUSRANADC41.na.jnj.com<o:p></o:p><=
/p>
<p class=3D"MsoNormal">issuer=3D/DC=3Dcom/DC=3Djnj/CN=3DJNJ Internal Online=
 CA A2<o:p></o:p></p>
<p class=3D"MsoNormal">&#8212;<o:p></o:p></p>
<p class=3D"MsoNormal">Acceptable client certificate CA names<o:p></o:p></p=
...
<p class=3D"MsoNormal">/CN=3DITSUSRANADC41.na.jnj.com<o:p></o:p></p>
<p class=3D"MsoNormal">/C=3DSE/O=3DAddTrust AB/OU=3DAddTrust External TTP N=
etwork/CN=3DAddTrust External CA Roo t<o:p></o:p></p>
<p class=3D"MsoNormal">/C=3DUS/O=3DJNJ/OU=3DJNJ Public Key Authorities/CN=
=3DJNJ 2048bit Root Certification Auth ority<o:p></o:p></p>
<p class=3D"MsoNormal">/C=3DUS/O=3DJNJ/OU=3DJNJ Public Key Authorities/CN=
=3DJNJ Root Certification Authority<o:p></o:p></p>
<p class=3D"MsoNormal">/DC=3DCOM/DC=3DJNJ/CN=3DJNJ Internal Root Certificat=
ion Authority<o:p></o:p></p>
<p class=3D"MsoNormal">/C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Netwo=
rk/OU=3D(c) 2008 VeriSign, Inc. - Fo r authorized use only/CN=3DVeriSign Un=
iversal Root Certification Authority<o:p></o:p></p>
<p class=3D"MsoNormal">/C=3DUS/O=3DVeriSign, Inc./OU=3DVeriSign Trust Netwo=
rk/OU=3D(c) 2006 VeriSign, Inc. - Fo r authorized use only/CN=3DVeriSign Cl=
ass 3 Public Primary Certification Authority - G5<o:p></o:p></p>
<p class=3D"MsoNormal">/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Prima=
ry Certification Authority<o:p></o:p></p>
<p class=3D"MsoNormal">/C=3DUS/O=3DVeriSign, Inc./OU=3DClass 3 Public Prima=
ry Certification Authority - G2/OU =3D(c) 1998 VeriSign, Inc. - For authori=
zed use only/OU=3DVeriSign Trust Network<o:p></o:p></p>
<p class=3D"MsoNormal">/C=3DUS/ST=3DWashington/L=3DRedmond/O=3DMicrosoft Co=
rporation/CN=3DMicrosoft Root Certific ate Authority 2011<o:p></o:p></p>
<p class=3D"MsoNormal">/C=3DUS/O=3DGTE Corporation/OU=3DGTE CyberTrust Solu=
tions, Inc./CN=3DGTE CyberTrust Glob al Root<o:p></o:p></p>
<p class=3D"MsoNormal">/C=3DIE/O=3DBaltimore/OU=3DCyberTrust/CN=3DBaltimore=
 CyberTrust Root<o:p></o:p></p>
<p class=3D"MsoNormal">/C=3DUS/ST=3DWashington/L=3DRedmond/O=3DMicrosoft Co=
rporation/CN=3DMicrosoft Root Certific ate Authority 2010<o:p></o:p></p>
<p class=3D"MsoNormal">/O=3DSymantec Corporation/CN=3DSymantec Root CA<o:p>=
</o:p></p>
<p class=3D"MsoNormal">/OU=3DCopyright (c) 1997 Microsoft Corp./OU=3DMicros=
oft Corporation/CN=3DMicrosoft Roo t Authority<o:p></o:p></p>
<p class=3D"MsoNormal">/C=3DUS/O=3DSymantec Corporation/CN=3DSymantec Root =
2005 CA<o:p></o:p></p>
<p class=3D"MsoNormal">/DC=3Dcom/DC=3Dmicrosoft/CN=3DMicrosoft Root Certifi=
cate Authority<o:p></o:p></p>
<p class=3D"MsoNormal">/CN=3DNT AUTHORITY<o:p></o:p></p>
<p class=3D"MsoNormal">&#8212;<o:p></o:p></p>
<p class=3D"MsoNormal">SSL handshake has read 5700 bytes and written 619 by=
tes<o:p></o:p></p>
<p class=3D"MsoNormal">&#8212;<o:p></o:p></p>
<p class=3D"MsoNormal">New, TLSv1/SSLv3, Cipher is AES128-SHA256<o:p></o:p>=
</p>
<p class=3D"MsoNormal">Server public key is 2048 bit<o:p></o:p></p>
<p class=3D"MsoNormal">Secure Renegotiation IS supported<o:p></o:p></p>
<p class=3D"MsoNormal">Compression: NONE<o:p></o:p></p>
<p class=3D"MsoNormal">Expansion: NONE<o:p></o:p></p>
<p class=3D"MsoNormal">SSL-Session:<o:p></o:p></p>
<p class=3D"MsoNormal">Protocol : TLSv1.2<o:p></o:p></p>
<p class=3D"MsoNormal">Cipher : AES128-SHA256<o:p></o:p></p>
<p class=3D"MsoNormal">Session-ID: 743C00003D9B50EAA53C45E670C3E9682DBE86BA=
873CEA5B35BFB16B7CE5A625<o:p></o:p></p>
<p class=3D"MsoNormal">Session-ID-ctx:<o:p></o:p></p>
<p class=3D"MsoNormal">Master-Key: 0DB1DB6C4E9B3BE57E6E3A38B3A68EACAF96A786=
50EA978B4A8860B35BBDCCB4 61DA777F8C0D83ED53CCFE82748D3F86<o:p></o:p></p>
<p class=3D"MsoNormal">Key-Arg : None<o:p></o:p></p>
<p class=3D"MsoNormal">Krb5 Principal: None<o:p></o:p></p>
<p class=3D"MsoNormal">PSK identity: None<o:p></o:p></p>
<p class=3D"MsoNormal">PSK identity hint: None<o:p></o:p></p>
<p class=3D"MsoNormal">Start Time: 1490103903<o:p></o:p></p>
<p class=3D"MsoNormal">Timeout : 300 (sec)<o:p></o:p></p>
<p class=3D"MsoNormal"><span style=3D"background:yellow;mso-highlight:yello=
w">Verify return code: 0 (ok)</span><o:p></o:p></p>
<p class=3D"MsoNormal">&#8212;<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Could you let us know what we could be missing here?=
<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">The pem contains certificates JNJ Internal Root Cert=
ification Authority and CN=3DJNJ Internal Online CA C2 .Are we missing &nbs=
p;anything here?<o:p></o:p></p>
<p class=3D"MsoNormal">Any help would be greatly appreciated.<o:p></o:p></p=
...
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal">Thanks<o:p></o:p></p>
<p class=3D"MsoNormal">Anitha<o:p></o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
<p class=3D"MsoNormal"><o:p>&nbsp;</o:p></p>
</div>
</body>
</html>
--_000_15687A439BFEE848B596FFB9FB92A77B627F577AMX101CL01corpem_--