SSL - Providing CA-signed certificate chain for SSL Server Mode
We are trying to achieve SSL Server Mode for JDBC connections
Our CA signed certificate chain contains an intermediate certificate.
So we have the following 3 files for the key and certificates:
When configuring SSL in Vertica 7.1.1-10 we use the following:
admintools -t set_ssl_params -k server.key -c server.crt ...
The client connecion fails as vertica is not aware of the intermediate certificate and is not providing the client with it for the client to validate the whole chain (client drops the connection after failed server certificate validation).
When configuring with:
admintools -t set_ssl_params -k server.key -c ca_intermediate.crt ...
vertica won't start (makes sense as the public certificate and private key do not match).
When trying to create a server_chain.crt file by concatenating 2 certificates (server.crt & ca_intermediate.crt), we get the same results as if only the first certificate is present in that file (either client won't trust the server or the server won't start depending on the order of the certificates in the concatenation).
We tried one more thing:
admintools -t set_ssl_params -k server.key -cserver.crt -a ca_intermediate.crt ...
In this case surprisingly the server offers the whole chain (intermediate and our server certificate) to the client and client can successfully validate the chain, but the server switches to SSL Mutual Mode and fails to establish a connection requiring the client to provide a client certificate.
Any help would be appreciated, how can we provide the whole chain to the client and use SSL Server Mode ?
We would prefer vertica to provide the intermediate certificate instead of pushing it to all clients' trust stores.