ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Does Security Analytics serve up the full certificate chain?

book

Article ID: 168901

calendar_today

Updated On:

Products

Security Analytics

Issue/Introduction

SA does not show the full certificate chain by default. We can customize the SSL configuration to enable this feature.

Resolution

Below is the procedure to enable Security Analytics to serve up the full certificate chain,

1. edit /etc/httpd/conf.d/ssl.conf and uncomment the "SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt". 

From
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt 
to 
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt 


2. Create the server-chain.crt file using a text editor:  vi /etc/pki/tls/certs/server-chain.crt 

3. Add the contents of the subCA.crt and rootCA.crt into the "server-chain.crt" file. 

openssl x509 -text -in /etc/pki/tls/certs/rootCA.crt >> /etc/pki/tls/certs/server-chain.crt 
openssl x509 -text -in /etc/pki/tls/certs/subCA.crt >> /etc/pki/tls/certs/server-chain.crt 


4. Now verify the chain using openssl s_client -connect, 

# openssl s_client -connect 10.10.10.10:443 

CONNECTED(00000003) 
depth=2 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected] 
verify return:1 
depth=1 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected] 
verify return:1 
depth=0 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BC200-2048/[email protected] 
verify return:1 
--- 
Certificate chain 
0 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BC200-2048/[email protected] 
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected] 
1 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected] 
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected] 
2 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected] 
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]