A new Flexera Community experience is coming on November 25th. Click here for more information.
Hi all ...
For Unix-like devices, is it sufficient to simply place the CA's root certificate in mgsft_rollout_cert (pre-install) / cert.pem (post-install), or do you also have to include the intermediate CA certificates used in the chain leading up to the CA's root?
The reason I ask is that I see both documented:
Which is it - root CA certificate only, or the root CA with any intermediate certificates that signed the root CA? I have an agent unable to upload its inventory and I'm pretty sure it's because a CA certificate is missing (I see "Download failure: OpenSSL error 0xFC14: unable to get local issuer certificate." in the tracker.log).
--Mark
âAug 22, 2022 01:09 PM - last edited on âAug 23, 2022 09:26 PM by ChrisG
I believe only one certificate in the certification path needs to be configured in the cert.pm file. In practice, this will often be the certificate of the root CA in practice; but I don't see any reason why it couldn't also be the certificate of a lower level CA.
Once a CA is trusted based on the certificate details configured in the cert.pem, any certificates that have been signed by that CA (i.e. that appear lower down in the certification path) should also be trusted - the lower level certificates don't need to be explicitly specified in the cerm.pem file.
âAug 23, 2022 09:34 PM
I believe only one certificate in the certification path needs to be configured in the cert.pm file. In practice, this will often be the certificate of the root CA in practice; but I don't see any reason why it couldn't also be the certificate of a lower level CA.
Once a CA is trusted based on the certificate details configured in the cert.pem, any certificates that have been signed by that CA (i.e. that appear lower down in the certification path) should also be trusted - the lower level certificates don't need to be explicitly specified in the cerm.pem file.
âAug 23, 2022 09:34 PM
Thanks for the response ChrisG. This is good to know. In the past, i just built a cert.pem that included all certificates in the certificate chain to ensure---starting with the root first, then the subsequent CAs down the list. In theory with PKI--if you trust the top, that should be sufficient, but i've been burned enough with certificate trust issues, so i just played it safe.
âAug 24, 2022 12:06 PM