IBM Support

Error: "SSL certificate problem, verify that the CA cert is OK" when updating Security Network IPS

Technote (troubleshooting)


When updating the Security Network IPS (GX), it can fail with an error about an SSL certificate problem.


When applying an update on the GX, it can fail with the following message that is displayed in /var/log/messages:

Unable to download '/Proventia/G-Series/XPU_3_4.xml' from server ''. Reason: SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed.

Resolving the problem

There have been issues in the past where the GX is not using the correct .crt file to verify the server certificate on Add the following advanced parameter to the update settings policy and try the update again:

Name: Update.certificate.file
String value: /etc/crm/msl-ca-bundle.crt


  • The fields above are case-sensitive. Enter them exactly as indicated.
  • Make sure that you do not leave any white spaces at the end of the lines or the parameter will not be accepted.

Document information

More support for: IBM Security Network Intrusion Prevention System

Software version: 4.6.1, 4.6.2

Operating system(s): Firmware

Reference #: 1612953

Modified date: 08 September 2015