topic Re: FPolicy server-auth mode failing when using third party CA signed certificates. in Software Development Kit (SDK) and API Discussions

FPolicy server-auth mode failing when using third party CA signed certificates.

Anshul — Wed, 04 Jun 2025 10:22:11 GMT

For Cluster Mode NetApp
FPolicy server-auth mode failing when using third party CA signed certificates.

Fpolicy server is getting "tlsv1 alert unknown ca" error while doing SSL handshaking with FPolicy client.

We have installed public certificate of certificate authority (CA) that is used to sign the FPolicy server certificate on SVM using following command:
> security certificate install -type client-ca -vserver <vserver name>

Configured external-engine in FPolicy to enable server-auth mode:

> vserver fpolicy policy external-engine show -vserver <vserver name> -engine-name <engine name>

Vserver: <vserver name>
Engine: <engine name>
Primary FPolicy Servers: <server ip>
Port Number of FPolicy Service: <server port number>
Secondary FPolicy Servers: -
External Engine Type: asynchronous
SSL Option for External Communication: server-auth
FQDN or Custom Common Name: -
Serial Number of Certificate: -
Certificate Authority: -
Is Resiliency Feature Enabled: false
Maximum Notification Retention Duration: 3m
Directory for Notification Storage: -

In FPolicy server we are using certificate file to initialize SSL server in following format:

The certificates must be in PEM format and must be sorted starting with the subject's certificate (actual server certificate), followed by intermediate CA certificates if applicable, and ending at the highest level (root) CA.
We are also using certificate's key file for initialize SSL server.

Now when we got FPolicy client connection in FPolicy server we are trying to do SSL handshaking and getting following error and SSL handshake failed:
"error:14094418:SSL routines:ssl3_read_bytes:tlsv1 alert unknown ca".

Note: we are using OpenSSL library API for SSL handshaking.

Also, same issue produces when we use OpenSSL server tool as FPolicy Server.

Our Fpolicy Server can handshake and have the cert chain validated with the OpenSSL client tool. NetApp SVM doesn't work with an OpenSSL server tool using the same certs.

Does anybody let us know where we are going wrong, what are the correct steps for FPolicy SSL communication using third party CA signed certificate. How to resolve this error/issue?

Re: FPolicy server-auth mode failing when using third party CA signed certificates.

GidonMarcus — Thu, 10 Jun 2021 21:58:23 GMT

is it not server-ca you need to install it for?

"server-ca - includes the public key certificate for the root CA of the SSL server to which Data ONTAP is a client"

http://docs.netapp.com/ontap-9/topic/com.netapp.doc.dot-cm-cmpr-991/security__certificate__install.html

Re: FPolicy server-auth mode failing when using third party CA signed certificates.

Anshul — Fri, 11 Jun 2021 03:33:38 GMT

The "vserver fpolicy policy external-engine create" doc mentioned below says to use "client-ca".
Although, We have tried it with "server-ca" and it is failing with same error.

https://docs.netapp.com/ontap-9/index.jsp?topic=%2Fcom.netapp.doc.dot-cm-cmpr-980%2Fvserver__fpolicy__policy__external-engine__create.html

server-auth : When set to server-auth, only the FPolicy server is authenticated by the Vserver. With this option, before creating the FPolicy external engine, the administrator must install the public certificate of the certificate authority (CA) that signed the FPolicy server certificate.

The public certificate of certificate authority (CA) that is used to sign the FPolicy server certificate is installed using the security certificate install command with -type set to client_ca.

Re: FPolicy server-auth mode failing when using third party CA signed certificates.

Anshul — Fri, 11 Jun 2021 13:30:41 GMT

These are the error on NetApp for Fpolicy SSL handshake failure, if it can help understand this issue:

These error log are from command
> event log show

And for more detail on this issue:-

Same SSL certs are working when
SSL Server : our Fpolicy Server
SSL Client : openssl s_client tool

and same SSL certs NOT working when

1> SSL Server : our Fpolicy Server
SSL Client : NetApp FPolicy

2> SSL Server : openssl s_server tool
SSL Client : NetApp FPolicy

Re: FPolicy server-auth mode failing when using third party CA signed certificates.

Jared1 — Tue, 02 Nov 2021 16:57:02 GMT

Did you ever get this working? we are experiencing the exact same problem with the exact outcome as your testing.

Re: FPolicy server-auth mode failing when using third party CA signed certificates.

Anshul — Thu, 25 Nov 2021 08:57:49 GMT

NetApp does not support intermediate certificates chain in this case.