Home Comments

Windows Certificate Store and CA chain validation

dgrehsdgrehs Member Daniel Grehs
edited November 2020 in Comments

Hi,
Could you please help me to setup ICE configs to use the Windows Certificate Store for CA chain validation?

The server-side [Win10 / ICE 3.7.2] has a root CA certificate on "Local Computer\Truted Root Certification Authorities\Certificates", and an application certificate imported on "Local Computer\Personal\Certificates".
The ICE configs, related to the CA validation, are defined as:
IceSSL.VerifyPeer=0
IceSSL.FindCert=thumbprint:thumbprint_of_app_stored_certificate
IceSSL.CertStore=My
IceSSL.CertStoreLocation=LocalMachine

The client-side [Win10 / ICE 3.7.2] has the same root CA certificate on "Local Computer\Truted Root Certification Authorities\Certificates".
ICE configurations, related to the CA validation, are defined as:
IceSSL.VerifyPeer=1
IceSSL.UsePlatformCAs=1

But, when I try to establish the connection, I got the following errors (provided by Ice.Trace):

Security certificate verification failure
issuer = /O=content/CN=content
subject = /O=content/CN=content
depth = 0
error = unable to get local issuer certificate
local address = 192.168.162.1content
remote address = 192.168.162.132:content

Security certificate verification failure
issuer = /O=content/CN=content
subject = /O=content/CN=content
depth = 0
error = unable to verify the first certificate
local address = 192.168.162.1:content
remote address = 192.168.162.132:content

Network IceSSL: certificate verification failed:
unable to verify the first certificate

However, If I configure client-side to use "IceSSL.CAs=C:\testcerts\rootCA.cer" directly, instead of the Win Cert Store (IceSSL.UsePlatformCAs=1), it works as expected.

Besides that, I did the same test using a simple client-server C++ code (instead of our client-server C++ solution), only with the CA-related ICE properties defined, and the connection works (same systems and same certificates). Based on that, I'm suspecting of an ICE property conflict at this point.

Tagged:

Comments

  • benoitbenoit Rennes, FranceAdministrators, ZeroC Staff Benoit FoucherOrganization: ZeroC, Inc.Project: Ice ZeroC Staff

    Hi,

    Can you try to set IceSSL.CertStoreLocation=LocalMachine on the client side as well?

    This property also instructs the client side to use either the local machine or current user certificate chain engine for certificate verification. We will fix the 3.7 documentation to mention this as it's currently missing from the property description... but we should also probably use a separate property for this purpose as well in future version.

    Cheers,
    Benoit

  • dgrehsdgrehs Member Daniel Grehs

    Hello @benoit,

    The issue remains, even with "IceSSL.CertStoreLocation=LocalMachine" definition.

Sign In or Register to comment.