This article describes how to install and configure the AppGate SSL interface to use a certificate bundle. This requires the SSL interface is licensed and configured to listen on at least one interface.
Certificate bundle - PEM file
- A bundle contains a chain of certificates,
- Usually server and one to many intermediate certificate
The root certificate should not be added to the bundle. There are several reasons for it:
- it introduces latency in the SSL handshake
- it's unnecessary since the browsers/clients have it already in their trust store
A reason you may want to inlcude it would be that you have clients which do not have trust store with these root CAs. Typically these are very old clients which should not be used.
If the client does not have the root in its trust store, then it will not trust the web site and there is usually not any solution around that as adding an exception (as in todays browsers). Having the server providing the root certificate will not help since the root certificate has to come from a trusted 3rd party.
Configure The appgate for bundled certificate
Open a terminal on the appgate server and become root.
The following change is to add a Apache directive as defined by a user. Create the user defined configuration file
and add the directive SSLCACertificateFile with the value pointing to the uploaded pem file:
After the file is saved, restart the SSL interface.
Test the interface/cert
The easiest way to test is the online SSL test tool from digicert to verify if the chain is working. Go to https://www.digicert.com/help/
You can also verify it with openssl tools from command line
openssl s_client -showcerts -connect your.host:443
Or in the case you do need to add the root cert manually:
openssl s_client -connect your.host:443 -CAfile AddTrustRoot.cer
Expected result is