Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 10 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 24081 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intermediate Certificate

tetris
Hi, 

i have a SSL Cert signed by Globalsign. Its correctly configured in my apache configuration (cert, key and intermediate). I exported the certificate to the certificate storage of the firewall but how can i use the intermediate certificate?

In some browsers i still get a certificate error depending on the missing intermediate cert in cert chain. 

Anyone an idea?

Thanks (hope my english was not to bad)!


This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to seroal

    This is the OpenSSL command to bundle it all together.

    openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in cert.crt -certfile intcacert.crt

    But it doesn't work.  I do not believe the UTM is sending the Intermediate CA cert.

  • 0 in reply to Robert Yount

    That doesn't include the intermediate CA.  I do this on a Windows machine with the following (Don't use < or >!):

    OpenSSL-Win64\bin\openssl.exe pkcs12 -export -in -certfile <Root CA file> -certfile <Intermediate CA file> sub.domain.com.cer -inkey sub.domain.com.private.key -out sub.domain.com.p12

    Any better luck with that?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I couldn't get yours to work.  Not sure it liked the double -certfile commands.  However, when I upload the one I created to the UTM it does create the root and int CA so they are there.  I think the problem is when it's uploaded you end up with only the site cert in /var/sec/chroot-httpd/etc/httpd/WebAdminCert.pem with no Int or Root CA info.  I ended up creating my own WebAdminCert.pem file, uploaded it into /tmp using SCP, backed up the file that was there and copied mine over.  Then I ran: /etc/init.d/httpd restart 

    Now when I use https://www.digicert.com/help/ to test the chain is all there.

    Robert

     

  • 0 in reply to Robert Yount

    Hi Robert,

     

    May I know how did you created your own file? Thanks!

Unfiltered HTML