SSL - Providing CA-signed certificate chain for SSL Server Mode

vitaly_cvo

We are trying to achieve SSL Server Mode for JDBC connections

 

Our CA signed certificate chain contains an intermediate certificate.

So we have the following 3 files for the key and certificates:

server.key

server.crt

ca_intermediate.crt

 

When configuring SSL in Vertica 7.1.1-10 we use the following:

admintools -t set_ssl_params -k server.key -c server.crt ...

 

The client connecion fails as vertica is not aware of the intermediate certificate and is not providing the client with it for the client to validate the whole chain (client drops the connection after failed server certificate validation).

 

When configuring with:

admintools -t set_ssl_params -k server.key -c ca_intermediate.crt ...

vertica won't start (makes sense as the public certificate and private key do not match).

 

When trying to create a server_chain.crt file by concatenating 2 certificates (server.crt & ca_intermediate.crt), we get the same results as if only the first certificate is present in that file (either client won't trust the server or the server won't start depending on the order of the certificates in the concatenation).

 

We tried one more thing:

admintools -t set_ssl_params -k server.key -cserver.crt -a ca_intermediate.crt ...

In this case surprisingly the server offers the whole chain (intermediate and our server certificate) to the client and client can successfully validate the chain, but the server switches to SSL Mutual Mode and fails to establish a connection requiring the client to provide a client certificate.

 

Any help would be appreciated, how can we provide the whole chain to the client and use SSL Server Mode ?

We would prefer vertica to provide the intermediate certificate instead of pushing it to all clients' trust stores.

 

Thanks

Vitaly

skeswani

If your server.crt SSL certificate file includes certificate chain (more than one certificate), Admintools accepts the whole chained certificate.

-- here is how you add a chain (see chain.crt)
https://my.vertica.com/kb/Using-SSL-Server-Authentication-with-Vertica-Validating-Your-SSL/Content/BestPractices/Using-SSL-Server-Authentication-with-Vertica-Validating-Your-SSL.htm?Highlight=chain.crt