Hi tetris,
did you find a solution for this? I have the same problem and the intermediate certificate is missing/not served by the WAF. I checked it with: www.ssllabs.com/ssltest
Here also a thread about this topic (http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/2524138-astaroos-support-intermediate-cas).
Regards
Sebastian
This is the OpenSSL command to bundle it all together.
openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in cert.crt -certfile intcacert.crt
But it doesn't work. I do not believe the UTM is sending the Intermediate CA cert.
That doesn't include the intermediate CA. I do this on a Windows machine with the following (Don't use < or >!):
OpenSSL-Win64\bin\openssl.exe pkcs12 -export -in -certfile <Root CA file> -certfile <Intermediate CA file> sub.domain.com.cer -inkey sub.domain.com.private.key -out sub.domain.com.p12
Any better luck with that?
Cheers - Bob
I couldn't get yours to work. Not sure it liked the double -certfile commands. However, when I upload the one I created to the UTM it does create the root and int CA so they are there. I think the problem is when it's uploaded you end up with only the site cert in /var/sec/chroot-httpd/etc/httpd/WebAdminCert.pem with no Int or Root CA info. I ended up creating my own WebAdminCert.pem file, uploaded it into /tmp using SCP, backed up the file that was there and copied mine over. Then I ran: /etc/init.d/httpd restart
Now when I use https://www.digicert.com/help/ to test the chain is all there.
Robert
I couldn't get yours to work. Not sure it liked the double -certfile commands. However, when I upload the one I created to the UTM it does create the root and int CA so they are there. I think the problem is when it's uploaded you end up with only the site cert in /var/sec/chroot-httpd/etc/httpd/WebAdminCert.pem with no Int or Root CA info. I ended up creating my own WebAdminCert.pem file, uploaded it into /tmp using SCP, backed up the file that was there and copied mine over. Then I ran: /etc/init.d/httpd restart
Now when I use https://www.digicert.com/help/ to test the chain is all there.
Robert
Hi Robert,
May I know how did you created your own file? Thanks!