Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

AstaroOS: Support intermediate CAs

in Webadmin, Userportal and Web Application Security.
The intermediate CAs will not be sent by the UTM to the client, so the CA path is broken and then some Browsers will not accept the cert.

201 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Christian SchwarzChristian Schwarz shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    Hi everyone waiting on this request. My apologies for it’s long standing “under review” state. I can’t comment on if and when this behavior changed, but the current behavior of the WAF is that you must include all intermediate certs in the .p12 package supplied to the firewall. If they are provided when you build the .p12 file, then they will be used when that cert is used to secure a virtual server. .

    18 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • SMKSMK commented  ·   ·  Flag as inappropriate

        Indeed, It works for WAF (in fact an issue with WAF that is that the trust anchor - the most senior root certificate - is included as well, poinless as that needs to be independantly supplied). The remaining issue is with the built in web portal (and by extension I suppose the admin portal). The intermediates are not being offed by the UTM on those services. I'm in the process of scanning our systems at the moment and I still see WAF passing but also supplying the trust anchor, and user portal leaving the client to download he intermediate CAs for itself. Both my WAF and user portl use the same certificate, so I definitetly did supply the in CA in the chain that I uploaded to the UTM.

      • Helmich IT Security GmbHHelmich IT Security GmbH commented  ·   ·  Flag as inappropriate

        Hi Alan,

        please review this for webadmin and userportal. We installed a certificate for webadmin/userportal 2 two weeks ago and he had to manually adjust the http.conf to integrate the intermediates.
        You´re right, it´s already possible... but it would be nice, if it could be configured by webadmin without working through cli.

      • BuddyBuddyBuddyBuddy commented  ·   ·  Flag as inappropriate

        We always got this question in combination with Webadmin and User-Portal where it seems not work.

      • Joshua KerekesJoshua Kerekes commented  ·   ·  Flag as inappropriate

        I see this as an issue as we have customers that have strict ssl polices that require a full trusted certificate chain. Because of
        the UTMs lack of support for this, staff are unable to access their user portals unless an exception is it put into each browser.

        This is not acceptable to the customer.

      • SMKSMK commented  ·   ·  Flag as inappropriate

        This is still not supported for at least the user portal, and is causing downgrading of my sites score in security evaluations (trey the Qualsys SSL Labs online test). Offering intermeiate certificates is a basic function of secure websites these days. It is incredible that this request has been open for nearly three years. Note that the WAF does now offer intermeiate certificates correctly.

      • timelordtimelord commented  ·   ·  Flag as inappropriate

        I can't believe this has not been fixed yet! All you need to do is to add the following into httpd-webadmin.conf file (for WebAdmin):

        SSLCertificateChainFile /etc/httpd/WebAdminChain.pem

        where WebAdminChain.pem would be a file containing intermediate CA(s)

      • Anonymous commented  ·   ·  Flag as inappropriate

        It´s affected by SPX Reply Portal too....

        Here is my twick for SPX Portal, but it doesnt work with User Portal

      • Anonymous commented  ·   ·  Flag as inappropriate

        Its a Joke! This thing ist need to be done! Request from 18.01.2012 i dont believe that!

      • Anonymous commented  ·   ·  Flag as inappropriate

        Just chiming in to say this really needs to be done. More apparent on android devices which will show cert errors if the intermediate cert isn't provided to the client.

      • GuntherGunther commented  ·   ·  Flag as inappropriate

        We all need this to be fixed. Ten years ago, going self-signed was good enough. Since most certificates seem now to be offered using an intemediate ca, this needs to be implemented.

      • Rolf MüllerRolf Müller commented  ·   ·  Flag as inappropriate

        Or the other way round, if the UTM holds a intermediate ca, signed from an official one, then on sslvpn e.g. only the intermediate ca cert is used for server and client resulting in a broken cert-chain and no connection.

      • BuddyBuddyBuddyBuddy commented  ·   ·  Flag as inappropriate

        Please add support for all kinds of VPN-connections (Site-to-Site and Remote Access)

      • Karim LiteftiKarim Litefti commented  ·   ·  Flag as inappropriate

        Even worse, the SSL ZIP package (available through the user portal) cannot be build for a user who has an external certificate which contains an intermediate CA.

      Feedback and Knowledge Base