Does Security Analytics serve up the full certificate chain?
Article ID: 168901
Updated On:
Products
Security Analytics
Issue/Introduction
SA does not show the full certificate chain by default. We can customize the SSL configuration to enable this feature.
Resolution
Below is the procedure to enable Security Analytics to serve up the full certificate chain,
1. edit /etc/httpd/conf.d/ssl.conf and uncomment the "SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt".
From
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
to
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
2. Create the server-chain.crt file using a text editor: vi /etc/pki/tls/certs/server-chain.crt
3. Add the contents of the subCA.crt and rootCA.crt into the "server-chain.crt" file.
#
openssl x509 -text -in /etc/pki/tls/certs/rootCA.crt >> /etc/pki/tls/certs/server-chain.crt
openssl x509 -text -in /etc/pki/tls/certs/subCA.crt >> /etc/pki/tls/certs/server-chain.crt
4. Now verify the chain using openssl s_client -connect,
# openssl s_client -connect 10.10.10.10:443
CONNECTED(00000003)
depth=2 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]
verify return:1
depth=1 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected]
verify return:1
depth=0 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BC200-2048/[email protected]
verify return:1
---
Certificate chain
0 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BC200-2048/[email protected]
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected]
1 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]
2 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected]
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]
1. edit /etc/httpd/conf.d/ssl.conf and uncomment the "SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt".
From
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
to
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
2. Create the server-chain.crt file using a text editor: vi /etc/pki/tls/certs/server-chain.crt
3. Add the contents of the subCA.crt and rootCA.crt into the "server-chain.crt" file.
#
openssl x509 -text -in /etc/pki/tls/certs/rootCA.crt >> /etc/pki/tls/certs/server-chain.crt
openssl x509 -text -in /etc/pki/tls/certs/subCA.crt >> /etc/pki/tls/certs/server-chain.crt
4. Now verify the chain using openssl s_client -connect,
# openssl s_client -connect 10.10.10.10:443
CONNECTED(00000003)
depth=2 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]
verify return:1
depth=1 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected]
verify return:1
depth=0 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BC200-2048/[email protected]
verify return:1
---
Certificate chain
0 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BC200-2048/[email protected]
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected]
1 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]
2 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected]
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]
Feedback
Yes
No
Powered by
