Category: X.509 certificate usage or issue
The supplied certificate is not trusted by this machine. Clients may not trust it either, which can cause insecure connection warnings.
This warning is issued by fmos pki import-cpl-cert when the trust chain for the supplied control panel certificate cannot be built up to a trusted root certificate authority. In other words, the certificate was signed by a CA that FMOS does not trust.
Clients that do not trust the certificate presented by the Server Control Panel HTTPS service may present users with security warnings or refuse to communicate with the service. In particular, if the server certificate is trusted but the control panel certificate is not, HTTP Strict Transport Security policy may cause browsers to fail to load the Server Control Panel Web User Interface.
The fmos ecosystem join command communicates with the Server Control Panel service over HTTPS. If the control panel certificate is not trusted, it will present a warning to the user and prompt for manual verification of the certificate fingerprint. Using a trusted certificate will suppress this warning.
There are two possible causes for this warning:
The root CA certificate is not installed in the FMOS CA trust store
An intermediate CA has signed either the control panel certificate or another intermediate CA certificate in the chain but its certificate is missing from the chain file
If the supplied control panel certificate or any of the intermediate CA certificates in the trust chain were issued by a root CA certificate that FMOS does not trust by default, such as an internal CA, the root CA certificate needs to be added to the FMOS CA trust store. The fmos pki import-ca command is used to add CA certificates to the FMOS CA trust store.
fmos pki import-ca corp-ca.crt
To add a CA certificate to the trust store, first save the certificate to a file in either PEM (base-64), DER (binary) or PKCS#12 format. Copy the file to the FMOS machine (e.g. using SFTP). Finally, pass the path to the file as a command-line argument to the fmos pki import-ca command. The name of the file does not matter.
If the supplied control panel certificate was issued by an intermediate CA, the intermediate CA certificate needs to be included in the CA chain file. If there are multiple intermediate CAs in the trust chain, i.e. the first intermediate CA was itself signed by another intermediate CA, then all of the intermediate CA certificates need to be included in the CA chain file.
To construct a CA chain file, save the certificates for all of the intermediate CAs in the trust chain to a single file. If there is only one CA certificate in the chain, the file can be in PEM (base-64), DER (binary), or PKCS#12 format. If multiple CA certificates are required, only the PEM and PKCS#12 formats are supported. The certificates should be placed in the file in order from leaf to root. Alternatively, the intermediate CA certificates can be appended to the control panel certificate file, if the file is in PEM or PKCS#12 format.
Once the CA chain file is available in a supported format, copy it to the FMOS machine (e.g. using SFTP) and pass the path to the file to the fmos pki import-cpl-cert command as the value of the --chain argument.
fmos pki import-cpl-cert server.cer server.key --chain chain.crt
If the intermediate CA was signed by a root CA certificate that is not trusted by FMOS, the root CA certificate will also need to be added to the FMOS CA trust store. See Resolution 1 above for details.