Hi all ...

For Unix-like devices, is it sufficient to simply place the CA's root certificate in mgsft_rollout_cert (pre-install) / cert.pem (post-install), or do you also have to include the intermediate CA certificates used in the chain leading up to the CA's root?

The reason I ask is that I see both documented:

• https://community.flexera.com/t5/FlexNet-Manager-Knowledge-Base/How-to-setup-https-SSL-TLS-to-secure-and-encrypt-internal-FNMS/ta-p/2085 near the bottom under "Windows Agents", the text reads (emphasis is mine):  "If you're using a Certificate issued by a Certificate Authority, you only need to include their certificate chain (which has a longer expire date than the actual certificate) starting from the Root Certificate on top then the Intermediate Certificate of the Certificate Authority after."
• Gathering FlexNet Inventory FlexNet Manager Suite 2022 R1 - Agent Third-Party Deployment: HTTPS CA Certificate File Format (UNIX) (flexera.com):  The text reads near the top:  "[...]certificate checking requires that a copy of the certificate for the root CA has been installed on the managed device. When a certificate being validated matches the locally-stored certificate for the root CA, trust is confirmed.".  Further down: "All the root CA certificates that are used by the HTTPS web servers supplying content to the managed device or receiving content from the managed device can be concatenated into a single file. (For many organizations, this will be a single certificate for a single root Certification Authority. It may even be a CA that is internal to the enterprise.) "

Which is it - root CA certificate only, or the root CA with any intermediate certificates that signed the root CA?  I have an agent unable to upload its inventory and I'm pretty sure it's because a CA certificate is missing (I see "Download failure: OpenSSL error 0xFC14: unable to get local issuer certificate." in the tracker.log).

--Mark