Hello All,
At the end of the web server certificate update.., 4) "„The DER or PEM encoded X.509 CA certificate which issued the previous certificate. If a certificate chain bundle is provided, the first entry must be the issuer of the previous certificate and each certificate which follows must be the issuer of the certificate which precedes it.” is requested.
What is this "previous certificate"? Is it stored somewhere in Ignition? How can I get it?
Thank you
Tibor
It comes from whatever authority signs your webserver certificate. Public certificate authorities don't sign server certificates directly with their publicly known root certificate. Instead, they sign end-user certificates with an intermediate certificate, and that intermediate cert is what is signed by the public root. That lets them keep their most important root certificate's key in a vault somewhere, instead of connected to a computer on the internet.
When a web server presents its certificate to a browser, it supplies its whole chain of certificates for the browser to validate. So when you configure Ignition with SSL, you must have this chain available for Ignition to give to browsers. You get the intermediate (could be more than one) and the root certificates from the organization that signed your server's cert.
If you pay for a public certificate, it should come in a package with all of the pieces of the chain. If you are using Let's Encrypt or some other automated tool, you'll have to assemble the chain from the resources they publish on their website.
If your own organization is using a private CA, you will need to get the pieces from them.