SA does not show the full certificate chain by default. We can customize the SSL configuration to enable this feature.

Below is the procedure to enable Security Analytics to serve up the full certificate chain,

1. edit /etc/httpd/conf.d/ssl.conf and uncomment the "SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt". 

From
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt 
to 
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt 

2. Create the server-chain.crt file using a text editor:  vi /etc/pki/tls/certs/server-chain.crt 

3. Add the contents of the subCA.crt and rootCA.crt into the "server-chain.crt" file. 
# 
openssl x509 -text -in /etc/pki/tls/certs/rootCA.crt >> /etc/pki/tls/certs/server-chain.crt 
openssl x509 -text -in /etc/pki/tls/certs/subCA.crt >> /etc/pki/tls/certs/server-chain.crt 

4. Now verify the chain using openssl s_client -connect, 

# openssl s_client -connect 10.10.10.10:443 

CONNECTED(00000003) 
depth=2 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected] 
verify return:1 
depth=1 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected] 
verify return:1 
depth=0 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BC200-2048/[email protected] 
verify return:1 
--- 
Certificate chain 
0 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BC200-2048/[email protected] 
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected] 
1 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected] 
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected] 
2 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected] 
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]