ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Does Security Analytics serve up the full certificate chain?


Article ID: 168901


Updated On:


Security Analytics


SA does not show the full certificate chain by default. We can customize the SSL configuration to enable this feature.


Below is the procedure to enable Security Analytics to serve up the full certificate chain,

1. edit /etc/httpd/conf.d/ssl.conf and uncomment the "SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt". 

#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt 
SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt 

2. Create the server-chain.crt file using a text editor:  vi /etc/pki/tls/certs/server-chain.crt 

3. Add the contents of the subCA.crt and rootCA.crt into the "server-chain.crt" file. 

openssl x509 -text -in /etc/pki/tls/certs/rootCA.crt >> /etc/pki/tls/certs/server-chain.crt 
openssl x509 -text -in /etc/pki/tls/certs/subCA.crt >> /etc/pki/tls/certs/server-chain.crt 

4. Now verify the chain using openssl s_client -connect, 

# openssl s_client -connect 

depth=2 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected] 
verify return:1 
depth=1 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected] 
verify return:1 
depth=0 /C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BC200-2048/[email protected] 
verify return:1 
Certificate chain 
0 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BC200-2048/[email protected] 
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected] 
1 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected] 
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected] 
2 s:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI SUBORDINATE CA/[email protected] 
i:/C=MY/ST=FT/L=KL/O=BCSI/OU=3340/CN=BCSI ROOT CA/[email protected]