Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Operator » Intermediate SSL Certificates are not the future; they are the present. (Kerio Operator doesn't support certificate chains, which obsoleted non-chained certificates back in 2008.)
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Most Root Certificate Authorities stopped issuing certs that do not use intermediate chains back in 2008.

This means that you can't realistically use a Root CA signed certificate with either Operator or Control and have it function correctly. (Even the most expensive certificates nowadays are using intermediate certificates.)

It has nothing to do with how much money you pay for a certificate.

The fact is that using intermediate certificates are simply more secure. This article explains it much better than I could:

http://www.sslshopper.com/article-extinction-of-unchained-ss l-certificates.html

I know that (technically) Kerio Connect can use them, but it requires the administrator to use Unix commands to do so; which seems to go against the spirit of these products in the first place. (Fine for me, but not necessarily my customers.)

BTW, my goal here is not to bash the products in any way. Quite the contrary. Kerio has shown exceptional genius with so many aspects of their application designs. It just seems odd that something like this has gone so long unaddressed.

So, my question is when will Kerio add support for certificate chains, as well as implement them into the web interfaces for Connect, Operator, and Control?

(Thanks)

[Updated on: Wed, 27 March 2013 23:38]

  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
The certificate file you import to Kerio Operator can contain the whole chain. Just append the intermediate certificate to your certificate and import it.

Best
Filip
  •  
blswjames

Messages: 77
Karma: 0
Send a private message to this user
Interesting. Thanks for the tip, Filip! I'll try it and see if it fixes the certificate verification errors.

Now, just to clarify, when you say append, do you mean to place the text from both certificates into a single file, like so? Do I just plug the intermediate in after the server cert? Do I include the beginning and end certificate headers?

-----BEGIN CERTIFICATE-----
MIIGvDCCBaSgAwIBAgIQDlg7OVgEU0k9csSAHhA9qDANBgkqhkiG
gctD5YGQaiDq76Ab6Kf4wFd806HqCVbVM4K4f0VhVLjhLVIXLj2f
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIGWDCCBUCgAwIBAgIQCl8RTQNbF5EX0u/UA4w/OzANBgkqhki9
Ib4p1I5eFdZCSucyb6Sxa1GDWL4/bcf72gMhy2oWGU4K8K2Eyl2U
-----END CERTIFICATE-----


How can we get this added to the documentation or at least the knowledge base? Is there an official "documentation request" feature somewhere similar to bug reports? Or do I file a bug report for missing documentation? I think this is a really important topic, and a glaring hole in the product until addressed.

So far, these sources have been void of anything helpful on this topic:


  •  
ystolerman

Messages: 1
Karma: 0
Send a private message to this user
Hi James,

You can use the comments feature at the bottom of each knowledge base article to suggest topics/ content enhancements. I'll follow up on adding content to the KB based on this discussion string.

Best regards,
Yulia.
  •  
Filip Jenicek (Kerio)

Messages: 1094
Karma: 80
Send a private message to this user
Hi James,

you joined them exactly right. The certificate should be imported by Operator without any errors. Set it as default and reopen your browser. If you then take a look at the details of the https certificate in a web browser, you should see the whole chain (e.g. root ca -> intermediate -> your certificate).

Thank you for pointing this out.

Best
Filip
Previous Topic: Queue problem
Next Topic: .wav file format?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Thu Aug 24 10:33:01 CEST 2017

Total time taken to generate the page: 0.00422 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.