Issues With The rootCA Certificate While Renewing Automation Suite Certificates

News Knowledge Base
1

Is the rootCA valid certificate?

Issue Description: Sometimes while renewing Automation Suite certificates the following error may be thrown,

Either partial ca chain has been provided or leaf server certificate is not signed by provided ca >>> [FAILED] Provided Certificate is invalid

This means the rootCA is having issues and before proceeding, note some useful openssl commands in order to debug most of the certificate's issues or understand better the certificate information.

Check if a certificate is valid: This command will check if the certificate is still valid and has not expired.

  • openssl x509 -noout -checkend 0 -in certificate.pem

Replace certificate.pem with the path to the certificate you want to check.

Verify the chain of trust: This command will verify the chain of trust for the given certificate.

  • openssl verify -verbose -CAfile ca.pem certificate.pem

Replace ca.pem with the path to the root CA certificate.

Check the details of a certificate: This command will show you the details of the given certificate, such as the issuer, subject, and expiration date.

  • openssl x509 -in certificate.pem -text -noout

Replace certificate.pem with the path to the certificate you want to check.

Check if a private key matches a certificate: This command will check if the given private key matches the certificate by comparing the modulus of both.

  • openssl x509 -noout -modulus -in certificate.pem | openssl md5
  • openssl rsa -noout -modulus -in private.key | openssl md5

Replace certificate.pem with the path to the certificate and private.key with the path to the private key.

Resolution: When this error happened there is an easy way to fix this, but first what is rootCA?, basically rootCA is the combination of 2 certificates in one file,

· Certificate.cer

· Intermediate.cer

The intermediate certificate for an SSL/TLS certificate can usually be obtained from the website of the Certificate Authority (CA) that issued the SSL/TLS certificate.

When a CA issues an SSL/TLS certificate, it may also provide an intermediate certificate that should be installed on the server along with the SSL/TLS certificate.

Step 1: Copy the certificate content in a notepad

Step 2: Copy the intermediate content below the certificate in the notepad

Step 3: This is an example of the result:

Save this file and import it to the Linux box and used it as the rootCA in the tls-update command with this you will be able to run the script with no issues.

Note: Sometimes the order is reversed which means

  • Intermediate.cer
  • Certificate.cer