Troubleshooting certificate issues
Even after importing the correct certificate, you might notice that the server still reports connectivity issues, which could be related to the certificate. In addition to the certificate being available for validation, it is important to remember some key points about certificate validation:
- The OpenSSL library used must validate a full certificate chain. This means that you cannot just install the end certificate, such as the one on the web server. If it was signed by a parent certificate, then the parent certificate is the one that must be installed. Though, if it's a true self-signed certificate, where it is signed by itself, and has no other parent, then install that certificate.
- Any required intermediate certificates must be present. Many CAs have a root certificate, and then one or more levels of intermediate, issuer, certificates, and then the actual server certificate. It's customary that the server be configured to serve both its own certificate as well as the intermediates, and that the client has the root to complete the chain. However, if the server is not configured to serve the intermediates, then the intermediates must also be installed in the certificate store.
- Certificates must be within their date range. That is, it must be after the valid from date and before the expiration date in the certificate.
- Certificates must use a valid Common Name (CN) or Subject Alternate Name (SAN) field and must be configured to use the resource by that name. Wildcard certificates will also work as expected. For example, you might have a server known as server.example.com at IP address 10.1.1.1. In order for the SSL/TLS connection to it to succeed, must be configured to use the full name, server.example.com. Using a short name of "server" or using the IP address 10.1.1.1 does not work.
Add or remove certificates from the certificate store
Update or renew SSL certificates for Nginx, RabbitMQ, or Consul
This documentation applies to the following versions of Splunk® SOAR (On-premises): 5.1.0, 5.2.1, 5.3.1, 5.3.2
Feedback submitted, thanks!