The question is at the end.... I'm not a certificate guru so it's possible I'm doing something completely wrong
Environment:
Orion Platform 2017.1.3 SP3, UDT 3.2.4 <- My question applies to other modules though, just adding in case there's some oddity with UDT
OS: Windows 2012 R2
Specific issue I'm having:
When using the "SolarWinds Configuration Wizard" to enable HTTPS for the Web console UI, there is supposed to be a drop down of "valid certificates" to pick from. I have imported a certificate to use, per the documentation, but there is nothing in the drop down list except "Generate Self Signed Certificate". The Wizard is acting like my certificate is invalid.
Details:
1. Apparently, the new Config Wizard scans for "valid certs" to use.
Supporting docs: (NPM 12.1 Release Notes - SolarWinds Worldwide, LLC. Help and Support ) there was an update for SSL support that "The Configuration Wizard scans the Orion server for valid SSL certificates that you can choose for the binding,"
2. The new Config Wizard changes will not let you pick/see "invalid certificates". It appears the Wizard thinks my certificate is invalid so it's not allowing me to pick it
Supporting docs: (Configure the Orion Web Console to use SSL ) and (Configure the Orion Web Console to use SSL - SolarWinds Worldwide, LLC. Help and Support ) there is a very clear example of how to set up HTTPS, with an indicator of the conditions the certificate must meet in order to be "valid", and "invalid". For invalid certificate it says: "Some certificates are not valid. Client certificates or certificates that have expired or use an untrusted certificate authority are invalid and do not display on the list."
3. My certificate appears valid (to me ).
- It was imported into the "Local Machine" -> Personal certificate store. <- It should be the correct location the wizard scans in...
- It was just issued (an internal CA is issuing it) and is is not expired. <- It's not expired, but may not be trusted...
- The "Root" certification authority in the certificate is in the "trusted root certification authorities" in the MMC certificates snap-in (I validated the thumbprints) <- The certificate should be using a trusted certification authority, or I am confused about what is considered trusted
But....
- There *is* an intermediary "issuing CA" in my certificate ("Issued By" field) in between the Root CA and my certificate. This *is not* in the "trusted root certification authorities" of the server
Question:
- Do I need to add the intermediary "Issuing CA" certificate to the "trusted root certification authorities" so the entire chain of certificates in the certificate are all "trusted"? It seems like I should not because the root certification authority in the cert is trusted
or
- Is there a possibility the certificate I was given needed to have certain "options selected" when it was issued (not sure what the options are) or needs to be issues in some special way/format?
or
- Is there something blindingly obvious I'm missing?
Message was edited by: tigger 2 - correct odd formatting