Knowledgebase
Unable to get local issuer certificate. <20>
Posted by Christopher Flores on 13 August 2014 08:53 AM

Symptoms of issue

When a certificate is issued through an intermediate CA, the error: Unable to get local issuer certificate. <20> is sometimes returned.

Versions affected

2X Remote Application Server  – All Versions

Description/Fix

This behavior can be encountered when a connection is established against a 2X ClientSecureGateway.

A way around this is to include the certificate information for the Intermediate CA with the domain certificate so that both are verified. This can be done as follows:

1. Have a copy of the Domain Certificate in base-64 encoded X.509 (.CER) format.

Opening the certificate in Notepad will show the certificate which starts and ends with the following tags:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

The certificate can be opened and viewed in Windows. By default, Windows opens the file using the Crypto Shell Extensions

2. Open the commercial certificate in Windows and switch to the Certification Path tab.

3. Select the Intermediate CA and select View Certificate

4. The intermediate CA will be available and can be exported in base-64 encoded X.509 (.CER) format from the Details tab > Copy To File.

Opening the exported .cer file for the Intermediate CA in notepad will also show the following tags for the Intermediate CA certificate:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

5. As a fix, one would need to put the Intermediate CA information in the domain certificate issued in notepad.

In notepad the certificate would have the following structure:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

The top tag would pertain to the domain certificate, where as the bottom one would contain the Intermediate CA one.

Importing this new modified certificate alongside your private key in your 2X ClientSecureGateway will address this behavior.

Notes

The Root CA does not require this operation as all supported Root CAs are listed in the trusted.pem files available on Client Installations as well as within the 2X Remote Application Server installation directory.

(5 vote(s))
Helpful
Not helpful

Comments (0)
Post a new comment
 
 
Full Name:
Email:
Comments: