Does Security Analytics serve up the full certificate chain?
Article ID: 168901
Updated On:
Products
Security Analytics
Issue/Introduction
SA does not show the full certificate chain by default. You can customize the SSL configuration to enable this feature.
Resolution
Below is the procedure to enable Security Analytics to serve up the full certificate chain,
- edit /etc/httpd/conf.d/ssl.conf and uncomment the "SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt".
From#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
toSSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt - Create the server-chain.crt file using a text editor:
vi /etc/pki/tls/certs/server-chain.crt - Add the contents of the subCA.crt and rootCA.crt into the "server-chain.crt" file.
#openssl x509 -text -in /etc/pki/tls/certs/rootCA.crt >> /etc/pki/tls/certs/server-chain.crtopenssl x509 -text -in /etc/pki/tls/certs/subCA.crt >> /etc/pki/tls/certs/server-chain.crt - Now verify the chain using openssl s_client -connect,
# openssl s_client -connect 10.10.10.10:443CONNECTED(00000003)depth=2 /C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE ROOT CA/emailAddress=root@localhostverify return:1depth=1 /C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE SUBORDINATE CA/emailAddress=root@localhostverify return:1depth=0 /C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE/emailAddress=root@localhostverify return:1---Certificate chain0 s:/C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE/emailAddress=root@localhosti:/C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE SUBORDINATE CA/emailAddress=root@localhost1 s:/C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE ROOT CA/emailAddress=root@localhosti:/C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE ROOT CA/emailAddress=root@localhost2 s:/C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE SUBORDINATE CA/emailAddress=root@localhosti:/C=XX/ST=XX/L=XX/O=EXAMPLE/OU=EXAMPLE/CN=EXAMPLE ROOT CA/emailAddress=root@localhost
Feedback
Yes
No
Powered by
