Forum Discussion
Michael_A__Fied
Nimbostratus
NimbostratusUsing the Server SSL Profile with an intermediary CA
I have a distinct feeling that I am overlooking something straightforward and simple.
We are attempting to secure our back-end web traffic, and have set up the following:
- ClientSSL profile "ServiceName" issued by RootCA
- ServerSSL profile "TrustRootCA" is "defaults from serverssl", and the CA certificate "ca file rootca.crt"
- Virtual Server has profile "ServiceName" and "TrustRootCA" attached to it.
This is pretty striaghtforward, and typically works when the TargetNode (apache) has a certificate issued from RootCA as well.
Where it seems to break is when the TargetNode has an Apache ssl profile issued by IntermediaryCA
- IntermediaryCA has been issued a CA cert from RootCA
- TargetNode has cert from IntermediaryCA
Attempting to connect to the Virtual Server provides the following:
SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed * Closing connection 0 curl: (60) SSL certificate problem, verify that the CA cert is OK. Details: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I don't know if and where I should add the IntermediaryCA certificate and what setting needs to be changed.This is driving me up the wall.
hoolioCirrostratus
Hi Michael,
Have you tried appending the intermediate CA cert to the CA cert file for the server SSL profile? If not, I'd try that.
Aaron
Haarith_DevarajNot sure if this is the answer you are looking for. To insert the intermediate CA, you can go to the profiles, ssl, choose the client | server certificate and choose advanced.
In that you can add intermediate-ca to the trusted certificate authorities and press update.