This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Intermediate Certificate

Hi,

i have a SSL Cert signed by Globalsign. Its correctly configured in my apache configuration (cert, key and intermediate). I exported the certificate to the certificate storage of the firewall but how can i use the intermediate certificate?

In some browsers i still get a certificate error depending on the missing intermediate cert in cert chain.

Anyone an idea?

Thanks (hope my english was not to bad)!

This thread was automatically locked due to age.

Parents

0 tetris over 11 years ago

Not yet... i was looking for the configuration to build a cert chain...

How can the appliance know what to do with the uploaded cert in the storage?...
Cancel
Vote Up 0 Vote Down

Cancel
0 seroal over 7 years ago in reply to tetris

Hi tetris,

did you find a solution for this? I have the same problem and the intermediate certificate is missing/not served by the WAF. I checked it with: www.ssllabs.com/ssltest

Here also a thread about this topic (http://feature.astaro.com/forums/17359-utm-formerly-asg-feature-requests/suggestions/2524138-astaroos-support-intermediate-cas).

Regards

Sebastian
Cancel
Vote Up 0 Vote Down

Cancel
0 Robert Yount over 7 years ago in reply to seroal

This is the OpenSSL command to bundle it all together.

openssl pkcs12 -export -out cert.pfx -inkey privatekey.key -in cert.crt -certfile intcacert.crt

But it doesn't work. I do not believe the UTM is sending the Intermediate CA cert.
Cancel
Vote Up 0 Vote Down

Cancel
0 BAlfson over 7 years ago in reply to Robert Yount

That doesn't include the intermediate CA. I do this on a Windows machine with the following (Don't use < or >!):

OpenSSL-Win64\bin\openssl.exe pkcs12 -export -in -certfile <Root CA file> -certfile <Intermediate CA file> sub.domain.com.cer -inkey sub.domain.com.private.key -out sub.domain.com.p12

Any better luck with that?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 Robert Yount over 7 years ago in reply to BAlfson

I couldn't get yours to work. Not sure it liked the double -certfile commands. However, when I upload the one I created to the UTM it does create the root and int CA so they are there. I think the problem is when it's uploaded you end up with only the site cert in /var/sec/chroot-httpd/etc/httpd/WebAdminCert.pem with no Int or Root CA info. I ended up creating my own WebAdminCert.pem file, uploaded it into /tmp using SCP, backed up the file that was there and copied mine over. Then I ran: /etc/init.d/httpd restart

Now when I use https://www.digicert.com/help/ to test the chain is all there.

Robert
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Robert Yount over 7 years ago in reply to BAlfson

I couldn't get yours to work. Not sure it liked the double -certfile commands. However, when I upload the one I created to the UTM it does create the root and int CA so they are there. I think the problem is when it's uploaded you end up with only the site cert in /var/sec/chroot-httpd/etc/httpd/WebAdminCert.pem with no Int or Root CA info. I ended up creating my own WebAdminCert.pem file, uploaded it into /tmp using SCP, backed up the file that was there and copied mine over. Then I ran: /etc/init.d/httpd restart

Now when I use https://www.digicert.com/help/ to test the chain is all there.

Robert
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 KM Gonzalez over 5 years ago in reply to Robert Yount

Hi Robert,

May I know how did you created your own file? Thanks!
Cancel
Vote Up 0 Vote Down

Cancel