FMOS
X.509 certificate usage or issue
Warning
The supplied certificate is not trusted by this machine. This suggests that clients and subordinate servers will not trust it either, preventing them from communicating with this machine.
This warning is issued by fmos pki import-server-cert when the trust chain for the supplied server certificate cannot be built up to a trusted root certificate authority. In other words, the certificate was signed by a CA that FMOS does not trust.
Although it is not necessary for the server to trust its own certificate in order for it to serve web applications and content, some FMOS ecosystem features may not operate as expected. Specifically, when a new machine is added to the ecosystem using this machine as its superior, it will not be able to update its CA trust store. Ensuring the server certificate is trusted on the server itself will reduce the number of steps required to add subordinate servers.
There are two possible causes for this warning:
The root CA certificate is not installed in the FMOS CA trust store
An intermediate CA has signed either the server certificate or another intermediate CA certificate in the chain but its certificate is missing from the chain file
If the supplied server certificate or any of the intermediate CA certificates in the trust chain were issued by a root CA certificate that FMOS does not trust by default, such as an internal CA, the root CA certificate needs to be added to the FMOS CA trust store. The fmos pki import-ca command is used to add CA certificates to the FMOS CA trust store.
fmos pki import-ca corp-ca.crtTo add a CA certificate to the trust store, first save the certificate to a file in either PEM (base-64), DER (binary) or PKCS#12 format. Copy the file to the FMOS machine (e.g. using SFTP). Finally, pass the path to the file as a command-line argument to the fmos pki import-ca command. The name of the file does not matter.
If the supplied server certificate was issued by an intermediate CA, the intermediate CA certificate needs to be included in the CA chain file. If there are multiple intermediate CAs in the trust chain, i.e. the first intermediate CA was itself signed by another intermediate CA, then all of the intermediate CA certificates need to be included in the CA chain file.
To construct a CA chain file, save the certificates for all of the intermediate CAs in the trust chain to a single file. If there is only one CA certificate in the chain, the file can be in PEM (base-64), DER (binary), or PKCS#12 format. If multiple CA certificates are required, only the PEM and PKCS#12 formats are supported. The certificates should be placed in the file in order from leaf to root. Alternatively, the intermediate CA certificates can be appended to the server certificate file, if the file is in PEM or PKCS#12 format.
Once the CA chain file is available in a supported format, copy it to the FMOS machine (e.g. using SFTP) and pass the path to the file to the fmos pki import-server-cert command as the value of the --chain argument.
fmos pki import-server-cert server.cer server.key --chain chain.crtIf the intermediate CA was signed by a root CA certificate that is not trusted by FMOS, the root CA certificate will also need to be added to the FMOS CA trust store. See Resolution 1 above for details.