Intermediate Certificate

Hi tetris,

did you find a solution for this? I have the same problem and the intermediate certificate is missing/not served by the WAF. I checked it with: www.ssllabs.com/ssltest

Here also a thread about this topic (http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/2524138-astaroos-support-intermediate-cas).

Regards

Sebastian

This is the OpenSSL command to bundle it all together.

openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in cert.crt -certfile intcacert.crt

But it doesn't work.  I do not believe the UTM is sending the Intermediate CA cert.

That doesn't include the intermediate CA.  I do this on a Windows machine with the following (Don't use < or >!):

OpenSSL-Win64\bin\openssl.exe pkcs12 -export -in -certfile <Root CA file> -certfile <Intermediate CA file> sub.domain.com.cer -inkey sub.domain.com.private.key -out sub.domain.com.p12

Any better luck with that?

Cheers - Bob

I couldn't get yours to work.  Not sure it liked the double -certfile commands.  However, when I upload the one I created to the UTM it does create the root and int CA so they are there.  I think the problem is when it's uploaded you end up with only the site cert in /var/sec/chroot-httpd/etc/httpd/WebAdminCert.pem with no Int or Root CA info.  I ended up creating my own WebAdminCert.pem file, uploaded it into /tmp using SCP, backed up the file that was there and copied mine over.  Then I ran: /etc/init.d/httpd restart 

Now when I use https://www.digicert.com/help/ to test the chain is all there.

Robert

Hi Robert,

May I know how did you created your own file? Thanks!

In Windows, you can export a certificate with the private key and the certificate chain into a PKCS file, which is what UTM needs.   If you cannot do this, you will have to construct one yourself.

Download the OpenSSL kit.   The OpenSSL website provides only source code, but has links to other sites that provide pre-built install kits to use at your own risk.

This command should convert a PKCS#12 format-file to a PEM (PKCS #7 text) file

<path1>\openssl pkcs12 -in <path2>\<filename>.pfx -out c:\temp\<filename>.pem -nodes

Append all the .pem files into a single text file using your favorite text editor.

Then use this command to covert it back to PKCS#12 format.

<path1>\openssl pkcs12 -export -in <path2>\<filename>.pem -out <filename>_2.pfx

Then you can load the certificate chain into UTM.

Hi,

I am using linux tho. 

I just updated my previous post to generalize it a little bit more.

Openssl is available for lots of platforms.   

There may be a simple solution for Linux which does not use OpenSSL, but I cannot help in that respect.