Filr and broken trust chains when installing certificates with an intermediate CA.

  • 7016002
  • 17-Dec-2014
  • 29-Mar-2017

Environment

Novell Filr 1.0 Appliance
Novell Filr 1.0.1 Appliance
Novell Filr 1.1 Appliance
Novell Filr 1.2 Appliance
Novell Filr 2 Appliance
Micro Focus Filr 3 Appliance

Situation

Several Certificate Authorities (CA) vendors provide their customers with a Signed Certificate along with an additional certificate file for an intermediate CA.

After installing the CSR reply and the CA vendor's intermediate CA file, the signed self-generated certificate of Filr is still not trusted by all browsers or clients.

Installing the Intermediate CA on the workstation addresses the issue, however, this does not address the broken trust chain for those that do not have access to that file, and should also not be a requirement.

In Novell Filr 1.2 in the Appliance configuration, under Digital Certificates, when managing the Web Application Certificates, the option Update Certificate Chain was introduced.  However, with the release version (Filr 1.2.0.846) this still requires some additional steps to be performed, before the Appliance also offers the Intermediate CA.

Resolution

These are the required steps for Novell Filr 1.0, 1.0.1 and 1.1.0 (However these steps can also be used on later releases):

Using the openssl command line you can merge the intermediate CA file into the Filr's pkcs12 file.
To achieve this either enable SSH or use the server prompt via the Hypervisor console.

As an example for filr.digitalairlines.com:
  1. :# mkdir /vastorage/back-up
  2. :# cp /vastorage/conf/certs/* /vastorage/back-up/
  3. :# cp /vastorage/conf/certs/.keystoredb /vastorage/back-up/
  4. :# mkdir /tmp/certificate/
  5. :# cp /vastorage/conf/certs/vaserver.key /tmp/certificate/
  6. Using a scp client upload the <cert from vendor>.crt  file received from the CA as reply to the CSR.
  7. Using a scp client upload the  <intermediate ca>.crt  file provided by the CA.
  8. :# cd /tmp/certificate/
  9. :# cp <cert from vendor>.crt filr-digitalairlines-com.crt
  10. :# cat <intermediate ca>.crt >> filr-digitalairlines-com.crt
  11. :# openssl pkcs12 -export -in filr-digitalairlines-com.crt -inkey vaserver.key -out filr-digitalairlines-com.p12  (all in 1 command line).
  12. Using an scp client, copy the generated .p12 key pair towards a desktop.
  13. a. Import the .p12 key pair and set it as active as described in the Novell Filr 1.1 documentation.
    b. Import the .p12 key pair and set it as active as described in the Novell Filr 2 documentation.
    c. Import the .p12 key pair and set it as active as described in the Micro focus 3 documentation.
  14. Reboot the Filr appliance so all services use the new certificate material.


These are the required steps for Filr 1.2 or later:

  1. a. Go trough the steps as described in the Novell Filr 1.2 documentation "Replacing the Self-Signed Digital Certificate for an Official Certificate"
    b Go trough the steps as described in the Novell Filr 2 documentation "Replacing the Self-Signed Digital Certificate for an Official Certificate"
    c Go trough the steps as described in the Micro Focus Filr 3 documentation "Getting Your Certificate Officially Signed"
  2. In the Novell Filr Appliance Management portal (port 9443) open the  "Appliance Configuration".
  3. Open the  "Digital Certificates"  to manage the Certificates.
  4. In the "Key Store" 'drop-down' menu choose the "Web Application Certificates"
  5. Make sure that the Signed certificate key pair used in step 1. is set as active.
  6. Under "File", select "Import", then select "Trusted Certificate" to import the Intermediate CA digital certificate (in case the CA vendor has multiple Intermediate CA Certificates all need to be installed).
  7. Select the signed certificate key pair that is active for the appliance (as indicated by the bolt font of the Alias) then click on "Update Certificate Chain".
  8. Although this appears extraneous, this is a crucial step in the procedure: Choose any other certificate key pair and click on  Set as Active.
  9. Reselect the Key Pair that was digitally signed in step 1, and click on  Set as Active.
  10. Reboot the appliance.

Status

Reported to Engineering

Additional Information

This has been reported to Novell Development, and this will be addressed for Novell Filr 1.2 FTF or later code.
The first described procedure is a workaround only for Novell Filr up to 1.1.0.

The file name for the generated .p12 key pair needs to be unique, it can not be the same as any of the already key material listed in Filr.

The vaserver.key that is used needs to be copied when the key pair that was used to generate the CSR is active on the Filr appliance. If the .crt and .key file do not match, the certificate will not work or not be trusted.


For Novell Filr 1.2, the procedure up to step 8 is the normal procedure.
Steps 8 up to 9 are additional steps that are required to update the certificate files under /vastorage/conf/certs/ with the correct data.
Engineering is working on a more user friendly way to perform this required action that would eliminate the need to perform these additional steps.