SSL certficates needed for c10le

  • This topic is empty.
Viewing 7 posts - 1 through 7 (of 7 total)
  • Author
    Posts
  • #8553
    mattriddler
    Member
    • Total Post: 8
    • Newbie

    Hello,
    I have an issue setting my c10le (8.508) up to authenticate to the storefront 2.6 servers ( I have load balancer but need to finish setting it up for ssl).
    If I try to connect to the storefront server I get ssl ‘unknown certificate authority’. Fair enough, exported my root certificate from the storefront server (internal ca). Added this in to the cacerts folder on Ftp server. Amend the link file & Reboot the terminal & still get the same message.
    Imported the intermediate certificate as well, using the same method. Same result.

    I have the root & intermediate certs in the cacerts folder & ini file.
    Do I also need to put the server certificate in there?
    Is there a special way to export and the file extension they need to be?

    Thanks, Matt

    #25566
    ConfGenConfGen
    Keymaster
    • Total Post: 11374
    • Jedi Master
    • ★★★★★★★

    No, you only need Root and all intermediate ones.
    Once you have successfully imported them, you should see them listed in the ThinOS Certifacte Center with your domain name on top of the hierachy.

    CG

    #25578
    mattriddler
    Member
    • Total Post: 8
    • Newbie

    Didn’t think I would need the server one, as the storefront server is presenting that one.
    Is there a particular format the certs need to be in? Was reading about them needing to be .crt’s.

    As the certificates will be on an open ftp share I am sure my security team will have an issue with the domain root & intermediate certificates being on there. Is there a way to encrypt them with a password (not sure if it is possible to export as .pfx)

    Thanks
    Matt

    #25581
    ConfGenConfGen
    Keymaster
    • Total Post: 11374
    • Jedi Master
    • ★★★★★★★

    No. Only machine or personal certificates can be in pfx format.
    The domain certs have to be in *.crt format. But this shouldn’t be an issue.
    All root certificates from all https website can be downloaded.
    I would be a securitiy issue if you get your hands on the private keys. But the standard root certificates only contain the public key.
    Everyone could have those.
    No security concerns here.

    CG

    #25588
    mattriddler
    Member
    • Total Post: 8
    • Newbie

    Got it sorted. Exported the certs in base format. Opened them in Notepad (other text editors are available) & could see start certificate & end certificate. Opened the der encoded ones & it was just random text. I had tried importing the der ones in the ini file first & it did not work. So I put the base ones in the ini file & they imported fine & let me login to the website without any issues.

    Matt

    #25595
    mattriddler
    Member
    • Total Post: 8
    • Newbie

    Just a little update.
    Tested again from a c10le & the certs would not import, even though they were in the folder & in the ini file.
    Colleague said why don’t you try putting the AddCertificate= onto separate lines in the ini file.

    Did that & the certificates started loading in fine.

    Bit weird that it is needed for the certificates, but not for any other lines of code.
    Issue resolved

    #25600
    ConfGenConfGen
    Keymaster
    • Total Post: 11374
    • Jedi Master
    • ★★★★★★★

    What was the “non-working” parameter?

    CG

Viewing 7 posts - 1 through 7 (of 7 total)
  • You must be logged in to reply to this topic.