Knowledge base

Related pages

KB1024 - Certificate chain too long
Last update: 2007-06-07 09:55:05
Revision: 6
Keywords: product_zorp zms pki ssl error

Applies to: Zorp 3.0 or newer

Question

What causes the 'certificate chain is too long' error message and how can the problem be solved?

Cause

This message means that Zorp could not verify the certificate of the peer (i.e. the client or the server), because the certificate was issued by a low-level Certificate Authority (a subCA). When a certificate is signed by an unknown CA, Zorp follows the certificate chain of the subCA, trying to find the root CA. The number of steps Zorp is allowed to check in the CA chain is limited, the above error message means that this limit has benn reached.

Solution

Increase the self.server_verify_depth or the self.client_verify_depth parameter of the Pssl proxy class used in the service (default value is 3).

Additional information / References

For more information on CA chains, see the Centralized PKI system section in the Zorp Administrator's Guide available at
http://www.balabit.com/dl/html/zorp-admin-guide.html/bk01-toc.html#pki_centralized

How useful would you rate this content ?

Poor Outstanding
What is your opinion about this article?

back to top

Copyright 2000-2009 BalaBit IT Security
All rights reserved

Bookmark This Corporate blog Security blog