This is a common problem across many different platforms. You generate a CSR, get a certificate but forget or don’t realize that besides installing the signed certificate you need to install the CA (Certificate Authority) Intermediate certificate. As a result some of the older browsers may complain about an invalid certificate or Java code will fail with following error message
Exception in thread “main” javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path validation failed: java.security.cert.CertPathValidatorException: CA key usage check failed: keyCertSign bit is not set
Solution is to download the intermediate certificate from the CA e.g. Verisign and GoDaddy and include it with the certificate. For instance in Apache you need to include SSLCertificateChainFile directive with the path to the intermediate certificate. On Cisco loadbalancer you would need to use following Cisco document. Specifically this directive
ACE-1/routed(config)# crypto chaingroup intermed-1
ACE-1/routed(config-chaingroup)# cert intermediate.pem
The chaingroup needs to be applied to the ssl-proxy service in addition to the already configured certificate and key.
ACE-1/routed(config)# ssl-proxy service proxy-1
ACE-1/routed(config-ssl-proxy)# chaingroup intermed-1
If you got your certificate from Verisign you can check whether you installed it properly here
You can always of course misconfigure things causing lots of time to be wasted. For instance on one occasion a well known managed hosting provider that was in charge of configuring the Cisco load balancer configured the load balancer as follows
crypto chaingroup some.domain.com
ssl-proxy service vip-126.96.36.199-ps
ssl advanced-options ssl-parameter-map-1
This is incorrect as the server certificate SHOULD NOT be included in the intermediate certificate chain. Otherwise the helpful Verisign test applet will complain with following message.
Two certificates were found with the same common name. The certificate installation checker cannot determine which is the correct certificate for the Web server. Remove the incorrect certificate and then test again.
Most browsers will work correctly however Java code will exhibit errors from the top of the article. Solution for the above problem is this
crypto chaingroup verisign-intermediate
Then included that chaingroup in the ssl-proxy directive. Once that was done the issue went away. Hope this saves someone some debugging time.