Classification: FMOS
Category: X.509 certificate usage or issue
Severity: Error
Summary
The supplied certificate is not a root CA certificate.
Description
This warning is reported by fmos pki import-ca when the supplied certificate is an intermediate CA certificate instead of a root CA certificate. A root CA certificate must be self-signed, while an intermediate CA certificate is signed by another CA.
Impact
In most cases, adding an intermediate CA certificate to the FMOS system CA trust store has no benefit. The root CA certificate in the intermediate CA certificate's trust chain must still be added to the trust store, and most servers will send any required intermediate CA certificates along with their end-entity certificates.
Cause
This warning can only be caused by attempting to add an intermediate CA certificate to the FMOS system CA trust store using the fmos pki import-ca command. A certificate is considered an intermediate CA certificate if it is not self-signed.
Resolution
In most cases, this warning is issued to indicate that importing the supplied certificate into the FMOS system CA trust store will not have the desired effect. Clients running on FMOS, including the FireMon Security Intelligence Platform, will not trust certificates issued by the intermediate CA unless the root CA certificate that was used to sign the intermediate CA certificate is also present in the system trust store. As such, the typical resolution to this warning is to instead import the root CA certificate.
In some cases, importing an intermediate CA certificate in addition to the root CA certificate may be necessary. This is typically because a service does not send the intermediate CA certificate along with its end-entity (server) certificate, preventing a trust chain from being built.
Comments
0 comments
Article is closed for comments.