login about faq

I'm connecting to a host that requires a client certificate. Is the below failure rejecting my client certificate or does it mean chilkat is rejecting the remote servers certificate?


    DllDate: Dec 30 2015
    UnlockPrefix: NTHttp
    Architecture: Little Endian; 64-bit
    Language: Linux Perl
    VerboseLogging: 0
    domain: mysite.com
    port: 443
                    level: fatal
                    descrip: unknown certificate authority
                Aborting handshake because of fatal alert.
          Client handshake failed. (3)
        ConnectFailReason: 109

asked Jan 18 '16 at 09:13

titan's gravatar image


descrip: unknown certificate authority

The signer of the certificate can not be validated on your system. Either the server has a self signed certificate or your system doesn't have the latest server authorities available to it.


answered Jan 18 '16 at 09:42

TracyP's gravatar image


Thanks for your reply.

The part I'm not clear on is if my client certificate has the problem, or if it's the remote server certificate that has the 'unknown certificate authority'.

(Jan 18 '16 at 12:04) titan

The client is unable to verify the authority of the certificate provider. This means the client doesn't have the certificate in it's local store that the servers certificate was authorized through.

Which still leaves you without a clear answer. If the server was self signed, you will never get the correct certificate in to the local machine unless you specifically download it and add it. If the server and the client are internal, you should be okay to do this. If you are accessing an external server, this is a security risk.

It may be the client hasn't been updated with public authorities.

(Jan 18 '16 at 12:23) TracyP

The GetServerSslCert method is for retrieving the server's SSL/TLS certificate. There shouldn't be a need to use a client-certificate for this purpose.

What GetServerSslCert does is to simply make a connection to the domain/port specified, and to complete the TLS handshake. Part of the TLS handshake involves the server sending its certificate to the client. If you set a client-side certificate, then Chilkat will include the client-side certificate in the TLS handshake. (But there's really no need for that in this case.) Chilkat does it, and the server examines the client certificate and doesn't like it because it doesn't know about the certificate authority, and this causes the server (or this particular server) to issue a TLS Abort message to abort the TLS handshake.

The solution for GetServerSslCert is to omit setting the client-side certificate for that call. If your app then needs to send a POST, GET, or whatever where the client cert is needed for authentication (i.e. two-way SSL/TLS), then you'll have to first sort out the problem with the fact that your cert's root is not recognized by the server. If your cert was a self-signed certificate, then the only solution is to get a cert from a cert authority.


answered Jan 18 '16 at 12:58

chilkat's gravatar image

chilkat ♦♦

Thanks Chilkat. I was tring to use GetServerSSLCert for debugging purposes, but I get the same results from $http->SynchronousRequest().

descrip: unknown certificate authority

I'm not understanding if that is the remote server rejecting my client certificate, or chilkat rejecting the servers cert.

(Jan 18 '16 at 13:07) titan

The remote server is rejecting your client certificate.


answered Jan 18 '16 at 13:10

chilkat's gravatar image

chilkat ♦♦


(Jan 18 '16 at 13:14) titan
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or __italic__
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported



Asked: Jan 18 '16 at 09:13

Seen: 1,558 times

Last updated: Jan 18 '16 at 13:14

powered by OSQA