Cryptzone Support

 
If you wish to submit a support ticket please sign in to your customer portal or use the “submit a ticket” button at the top menu.
If you need to find documentation about our Sheriff Suite please login to the Hive- Click Here

 

Article

Configure_SSL_interface_with_a_certificate_bundle

« Go Back

Information

 
Article Number000001062
Article

This article describes how to install and configure the AppGate SSL interface to use a certificate bundle. This requires the SSL interface is licensed and configured to listen on at least one interface.

 

Certificate bundle - PEM file

  • A bundle contains a chain of certificates,
  • Usually server and one to many intermediate certificate

The root certificate should not be added to the bundle. There are several reasons for it:

  • it introduces latency in the SSL handshake
  • it's unnecessary since the browsers/clients have it already in their trust store

A reason you may want to inlcude it would be that you have clients which do not have trust store with these root CAs. Typically these are very old clients which should not be used.

If the client does not have the root in its trust store, then it will not trust the web site and there is usually not any solution around that as adding an exception (as in todays browsers). Having the server providing the root certificate will not help since the root certificate has to come from a trusted 3rd party.

 

Configure The appgate for bundled certificate

Open a terminal on the appgate server and become root.

The following change is to add a Apache directive as defined by a user. Create the user defined configuration file

/opt/APPGssl/conf/userssl.conf

and add the directive SSLCACertificateFile with the value pointing to the uploaded pem file:

SSLCACertificateFile /opt/APPGssl/conf/mycafile.pem

After the file is saved, restart the SSL interface.

/etc/init.d/ag_ssld restart

 

Test the interface/cert

The easiest way to test is the online SSL test tool from digicert to verify if the chain is working. Go to https://www.digicert.com/help/

You can also verify it with openssl tools from command line

openssl s_client -showcerts -connect your.host:443

Or in the case you do need to add the root cert manually:

openssl s_client -connect your.host:443 -CAfile AddTrustRoot.cer

 

Expected result is 

verify return:0

 

Related File 
Additional Files 

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255