Bug ID 586056: Machine cert checker doesn't work as expected if issuer or AltName is specified

Last Modified: Apr 10, 2019

Bug Tracker

Affected Product:  See more info
BIG-IP APM(all modules)

Known Affected Versions:
11.5.1, 11.5.1 HF1, 11.5.1 HF10, 11.5.1 HF11, 11.5.1 HF2, 11.5.1 HF3, 11.5.1 HF4, 11.5.1 HF5, 11.5.1 HF6, 11.5.1 HF7, 11.5.1 HF8, 11.5.1 HF9, 11.5.2, 11.5.2 HF1, 11.5.3, 11.5.3 HF1, 11.5.3 HF2, 11.5.4, 11.5.4 HF1

Fixed In:
11.5.4 HF2

Opened: Apr 07, 2016
Severity: 3-Major

Symptoms

Windows Machine cert checker doesn't work as expected if issuer or AltName is specified. User cannot pass access policy even with valid machine cert. Logs in client PC can be produced, such as: EXCEPTION - CCertCheckCtrl::Verify FindCertificateInStore failed with error code: and CCertCheckCtrl::Verify, Store name:"MY", Store location:"LocalMachine", Subject match FQDN:"1", Allow elevation UI:"0", Serial number(HEX):"", Issuer:"??????????????????????", SubjectAltName:""

Impact

User may not pass policy as expected

Conditions

Issuer or Subject AltName fields are populated. Site recently upgraded to 11.5.4.

Workaround

N/A

Fix Information

Now Machine Cert checker correctly processes issuer and SAN fields.

Behavior Change