Symptoms of issue
When a certificate is issued through an intermediate CA, the error: Unable to get local issuer certificate. <20> is sometimes returned.
2X Remote Application Server – All Versions
This behavior can be encountered when a connection is established against a 2X ClientSecureGateway.
A way around this is to include the certificate information for the Intermediate CA with the domain certificate so that both are verified. This can be done as follows:
1. Have a copy of the Domain Certificate in base-64 encoded X.509 (.CER) format.
Opening the certificate in Notepad will show the certificate which starts and ends with the following tags:
The certificate can be opened and viewed in Windows. By default, Windows opens the file using the Crypto Shell Extensions
2. Open the commercial certificate in Windows and switch to the Certification Path tab.
3. Select the Intermediate CA and select View Certificate
4. The intermediate CA will be available and can be exported in base-64 encoded X.509 (.CER) format from the Details tab > Copy To File.
Opening the exported .cer file for the Intermediate CA in notepad will also show the following tags for the Intermediate CA certificate:
5. As a fix, one would need to put the Intermediate CA information in the domain certificate issued in notepad.
In notepad the certificate would have the following structure:
The top tag would pertain to the domain certificate, where as the bottom one would contain the Intermediate CA one.
Importing this new modified certificate alongside your private key in your 2X ClientSecureGateway will address this behavior.
The Root CA does not require this operation as all supported Root CAs are listed in the trusted.pem files available on Client Installations as well as within the 2X Remote Application Server installation directory.