Does Security Analytics serve up the full certificate chain?
Article ID: 168901
Updated On:
Products
Issue/Introduction
SA does not show the full certificate chain by default. You can customize the SSL configuration to enable this feature.
Resolution
Below is the procedure to enable Security Analytics to serve up the full certificate chain,
1. edit /etc/httpd/conf.d/ssl.conf and uncomment the "SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt".
From#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
to SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
2. Create the server-chain.crt file using a text editor: vi /etc/pki/tls/certs/server-chain.crt
3. Add the contents of the subCA.crt and rootCA.crt into the "server-chain.crt" file.
#
openssl x509 -text -in /etc/pki/tls/certs/rootCA.crt >> /etc/pki/tls/certs/server-chain.crt
openssl x509 -text -in /etc/pki/tls/certs/subCA.crt >> /etc/pki/tls/certs/server-chain.crt
4. Now verify the chain using openssl s_client -connect,
# openssl s_client -connect 10.10.10.10:443
CONNECTED(00000003)
depth=2 /C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE ROOT CA/emailAddress=root@localhost
verify return:1
depth=1 /C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE SUBORDINATE CA/emailAddress=root@localhost
verify return:1
depth=0 /C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE/emailAddress=root@localhost
verify return:1
---
Certificate chain
0 s:/C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE/emailAddress=root@localhost
i:/C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE SUBORDINATE CA/emailAddress=root@localhost
1 s:/C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE ROOT CA/emailAddress=root@localhost
i:/C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE ROOT CA/emailAddress=root@localhost
2 s:/C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE SUBORDINATE CA/emailAddress=root@localhost
i:/C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE ROOT CA/emailAddress=root@localhost
Feedback
