ClearOS Bug Tracker

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0017051ClearOSapp-certificate-manager - Certificate Managerpublic2017-09-13 13:542017-10-16 15:35
Assigned Topbaldwin 
PrioritynormalSeveritytweakReproducibilityhave not tried
PlatformOSOS Version
Product Version7.4.0 Beta 1 
Target VersionFixed in Version 
Summary0017051: Certificate manager should detected embedded intermediate chains
DescriptionIt's fairly common to see intermediate certificates concatenated into the certificate, e.g.:

... server certificate ...
... intermediate certificate ...

The consumer of the SSL certificates (e.g. Apache) might need this information in order to configure certificates.

TagsNo tags attached.
Attached Files

- Relationships

-  Notes
NickH (developer)
2017-09-24 01:54

Perhaps with the obsoleting of SSLCertificateChainFile in Apache 2.4.8 ( [^]) this bug may need to be changed such that when an intermediate certificate is imported, it should be concatenated with the certificate file and then drop the SSLCertificateChainFile parameter from flex-443.conf.

I don't know how the other certificate using programs (postfix, zarafa and so on) work with a single "fullchain" file. I know cyrus-imap works as this is how it generates its own self-signed certificate.
pbaldwin (administrator)
2017-09-24 12:49

The consuming-side of the API call (e.g. Postfix) should be able to request whatever it needs:

- Key file
- Certificate file
- Intermediate
- Certificate + Intermediate

The flip side: if someone imports a "Certificate", and it's really a "Certificate + Intermediate", the Certificate Manager should detect this use case and handle it appropriately. That will keep everything nice and clean.
NickH (developer)
2017-10-16 12:15

My comment re cyrus-imap is a bit wrong but the principle is the same. cyrus-imap uses a combined certificate and key file.

Please can we add to the bug that the certificate/chain/key are tested for validity between themselves and the CA before being accepted by the webconfig. A user had something invalid here: [^] and it brought the webconfig down when he applied the certificate. I can open another bug if necessary but I don't know the details.
pbaldwin (administrator)
2017-10-16 15:35

There's a check for validity in the API: [^]

But that can be extended as noted in tracker 0016961

- Issue History
Date Modified Username Field Change
2017-09-13 13:54 pbaldwin New Issue
2017-09-24 01:54 NickH Note Added: 0006581
2017-09-24 12:41 pbaldwin Assigned To => pbaldwin
2017-09-24 12:41 pbaldwin Status new => acknowledged
2017-09-24 12:49 pbaldwin Note Added: 0006591
2017-10-16 12:15 NickH Note Added: 0006661
2017-10-16 15:35 pbaldwin Note Added: 0006671