Below is the procedure to enable Security Analytics to serve up the full certificate chain,
1. edit
/etc/httpd/conf.d/ssl.conf and uncomment the
"SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt". From
#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
to
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt 2. Create the server-chain.crt file using a text editor:
vi /etc/pki/tls/certs/server-chain.crt 3. Add the contents of the subCA.crt and rootCA.crt into the "server-chain.crt" file.
#
openssl x509 -text -in /etc/pki/tls/certs/rootCA.crt >> /etc/pki/tls/certs/server-chain.crt
openssl x509 -text -in /etc/pki/tls/certs/subCA.crt >> /etc/pki/tls/certs/server-chain.crt 4. Now verify the chain using openssl s_client -connect,
# openssl s_client -connect 10.10.10.10:443 CONNECTED(00000003)
depth=2 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]
verify return:1
depth=1 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected]
verify return:1
depth=0 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BC200-2048/[email protected]
verify return:1
---
Certificate chain
0 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BC200-2048/[email protected]
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected]
1 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]
2 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected]
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]