Troubleshooting guidelines for common certificate issues

Last Updated : May 26, 2021 |

Certificate expired

The lifespan of identity certificates is usually shorter than CA certificates. When you attempt to use a certificate that is no longer valid, the TLS connection fails with the certificate_expired (45) description in the TLS Alert message. You can see this with a Wireshark capture on the specific port.

Some services will fail to start if the identity certificate they use has expired. For more information, see the corresponding log files.

Identity certificate not trusted (unknown CA).

When a TLS service connects to a peer device and the peer device presents its identity certificate, the issuer of that certificate needs to be trusted in order for the connection to be established. If that is not the case, the TLS handshake fails with the unknown_ca (48) description in the TLS Alert message.

Unsupported certificate

When an identity certificate does not contain all the correct attributes, the TLS handshake can fail with the unsupported_certificate(43) description in the TLS Alert message. The certificate attributes that are usually mis-configured are those in the Key Usage and Extended Key Usage extensions.

Certificate not yet valid

A newly generated identity certificate with a current “Valid From” date and time might not be valid for the peer device validating it. Check that the clock on both devices are in sync.

Certificate revoked

The certificate has been placed on a CRL and must be replaced.

Send Feedback

AVAYA DOCUMENTATION CENTER

No results found