Category: X.509 certificate usage or issue
The supplied certificate is not a root CA certificate.
This warning is reported by fmos pki import-ca when the supplied certificate is an intermediate CA certificate instead of a root CA certificate. A root CA certificate must be self-signed, while an intermediate CA certificate is signed by another CA.
In most cases, adding an intermediate CA certificate to the FMOS system CA trust store has no benefit. The root CA certificate in the intermediate CA certificate's trust chain must still be added to the trust store, and most servers will send any required intermediate CA certificates along with their end-entity certificates.
This warning can only be caused by attempting to add an intermediate CA certificate to the FMOS system CA trust store using the fmos pki import-ca command. A certificate is considered an intermediate CA certificate if it is not self-signed.
In most cases, this warning is issued to indicate that importing the supplied certificate into the FMOS system CA trust store will not have the desired effect. Clients running on FMOS, including the FireMon Security Intelligence Platform, will not trust certificates issued by the intermediate CA unless the root CA certificate that was used to sign the intermediate CA certificate is also present in the system trust store. As such, the typical resolution to this warning is to instead import the root CA certificate.
In some cases, importing an intermediate CA certificate in addition to the root CA certificate may be necessary. This is typically because a service does not send the intermediate CA certificate along with its end-entity (server) certificate, preventing a trust chain from being built.