Articles in this section

See more

The Supplied Server Certificate Is Not Trusted - Control Panel

Avatar
Brent Landon
Follow

Classification: FMOS

Category: X.509 certificate usage or issue

Severity: Warning

Summary

The supplied certificate is not trusted by this machine. Clients may not trust it either, which can cause insecure connection warnings.

Description

This warning is issued by fmos pki import-cpl-cert when the trust chain for the supplied control panel certificate cannot be built up to a trusted root certificate authority. In other words, the certificate was signed by a CA that FMOS does not trust.

Impact

Clients that do not trust the certificate presented by the Server Control Panel HTTPS service may present users with security warnings or refuse to communicate with the service. In particular, if the server certificate is trusted but the control panel certificate is not, HTTP Strict Transport Security policy may cause browsers to fail to load the Server Control Panel Web User Interface.

The fmos ecosystem join command communicates with the Server Control Panel service over HTTPS. If the control panel certificate is not trusted, it will present a warning to the user and prompt for manual verification of the certificate fingerprint. Using a trusted certificate will suppress this warning.

Cause

There are two possible causes for this warning:

  1. The root CA certificate is not installed in the FMOS CA trust store

  2. An intermediate CA has signed either the control panel certificate or another intermediate CA certificate in the chain but its certificate is missing from the chain file

Resolution 1

If the supplied control panel certificate or any of the intermediate CA certificates in the trust chain were issued by a root CA certificate that FMOS does not trust by default, such as an internal CA, the root CA certificate needs to be added to the FMOS CA trust store. The fmos pki import-ca command is used to add CA certificates to the FMOS CA trust store.

fmos pki import-ca corp-ca.crt

To add a CA certificate to the trust store, first save the certificate to a file in either PEM (base-64), DER (binary) or PKCS#12 format. Copy the file to the FMOS machine (e.g. using SFTP). Finally, pass the path to the file as a command-line argument to the fmos pki import-ca command. The name of the file does not matter.

Resolution 2

If the supplied control panel certificate was issued by an intermediate CA, the intermediate CA certificate needs to be included in the CA chain file. If there are multiple intermediate CAs in the trust chain, i.e. the first intermediate CA was itself signed by another intermediate CA, then all of the intermediate CA certificates need to be included in the CA chain file.

To construct a CA chain file, save the certificates for all of the intermediate CAs in the trust chain to a single file. If there is only one CA certificate in the chain, the file can be in PEM (base-64), DER (binary), or PKCS#12 format. If multiple CA certificates are required, only the PEM and PKCS#12 formats are supported. The certificates should be placed in the file in order from leaf to root. Alternatively, the intermediate CA certificates can be appended to the control panel certificate file, if the file is in PEM or PKCS#12 format.

Once the CA chain file is available in a supported format, copy it to the FMOS machine (e.g. using SFTP) and pass the path to the file to the fmos pki import-cpl-cert command as the value of the --chain argument.

fmos pki import-cpl-cert server.cer server.key --chain chain.crt

If the intermediate CA was signed by a root CA certificate that is not trusted by FMOS, the root CA certificate will also need to be added to the FMOS CA trust store. See Resolution 1 above for details.

Related articles

Comments

0 comments

Article is closed for comments.