Intermediate certificates

Introduction

The OpenFSC demo environment that is used in the Try FSC guides uses a self-signed CA without intermediate certificates. However, most production environments use intermediate certificates, which require some additional configuration.

What are intermediate certificates?

An intermediate certificate is a certificate that sits between a root certificate and a leaf certificate in the certificate chain. The leaf certificate is the certificate for the Manager, Outway or Inway.

Why this matters for OpenFSC

Intermediate certificates must be included in the certificate file provided to OpenFSC components. Without them, OpenFSC cannot verify the full chain of trust back to the root CA, and verification will fail.

Your Certificate Authority will provide the intermediate certificates when they issue your Manager, Inway, or Outway certificate.

Certificate file format

OpenFSC components receive certificates as a PEM file. The certificates must appear in the following order:

1. Leaf certificate (your Manager, Inway, or Outway certificate)
2. Intermediate certificate(s)

E.g.

-----BEGIN CERTIFICATE-----
MIIGAjCCA+qgAwIBAgIUfz/eDd2TFlnW5pewdspHOAphRQ8wDQYJKoZIhvcNAQEN
BQAwQzELMAkGA1UEBhMCTkwxEDAOBgNVBAoTB09wZW5GU0MxIjAgBgNVBAMTGU9w
ZW5GU0MgSW50ZXJtZWRpYXRlIENBIDEwHhcNMjQxMjIzMTE0NDAwWhcNMjcxMjIz
MTE0NDAwWjB6MQswCQYDVQQGEwJOTDEYMBYGA1UEChMPR2VtZWVudGUgU3Rpam5z
MTIwMAYDVQQDEyltYW5hZ2VyLm9yZ2FuaXphdGlvbi1hLm9wZW4tZnNjLmxvY2Fs
aG9zdDEdMBsGA1UEBRMUMTIzNDU2Nzg5MDEyMzQ1Njc4OTAwggIiMA0GCSqGSIb3
DQEBAQUAA4ICDwAwggIKAoICAQCjJ0lcCfVYRF74bdrSjISlB1tqIEJBsPCtpBq/
LfAQ2iorZIOs0+oEWrH6AnoFKpeFUB79G2AqPHwRKs+ibPFD4Hf92BzEjjcpiCdD
b/WRKthPpwNm/vCu7QqLDojw7J1P16195FSbllqn5pcp/HDqNkR9wOgmCFYqQfPM
DmWBQC4WDf/3JCrgAmGLqjSPBm7vzvU5v8rdeMbn4OzsJp+rPkzLujD8LyCqH7JZ
sOfrxDSg/LZLXORYFpPXLn1xK15eP0oM3DbcHJg30b1GNifk99A2Q3VG18BjZqbm
RZb5HZGw75ep5cuanGKT9wxdc2GnBakm//oo9niyADGNlKZgvNtWcj29z13UEQ07
QVefOc7Ha3Bu8ASGHJeqc08hwChzasI+1V3SHUJPX/UfjcedaRwoJ1A4YivSaxZz
lWil593BSYrauuPNUy4IKg4RCA26slY/AKus/o0N+b+PqQwsthc/7uLryml3wOOF
MaPM3U3ct1gAWH27s6fcQCzZh3B35Flu46pevTij8GsJXF9FtwDWr2k5WV5EWJ5b
mq/YbEbmXTbwSgQ5c2ekCzMwxVNAOc+Y2Ey0s57MvZtvWQBsw124OEYflx4UljgT
ZsxYULDhDOZUc6bcOessgb1tOKIlMlKGM9aTmG1RQeijnaiHyJk1J01mjpDV2wvI
QSpsMwIDAQABo4G2MIGzMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEF
BQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUty9HObcQwEQf
bbVsULMoioWHyqMwHwYDVR0jBBgwFoAU6KaKk+SnMQYCQiSxsC1CeWIehCMwNAYD
VR0RBC0wK4IpbWFuYWdlci5vcmdhbml6YXRpb24tYS5vcGVuLWZzYy5sb2NhbGhv
c3QwDQYJKoZIhvcNAQENBQADggIBAFoB/cqKe7e8q6P3HlPRq4ebNhhMf6iEqVkY
eFhaI+z4lLtw1kUTlm7B71O4hakar6uJI/ek2Bxpxb2s75xt6RhMB8ixubs3SJVY
97MZmqdCtThjxM6ToNOiOyNGY8l5jxKvpQkHdM60p+A/mClPAIeXL1IXvtmkH4Ku
1r37/t28yWuiN7hDUYO16oohlCWswTpOvk1rpntTxpDUwGpIazUKPF5WztYdU8AW
XGVPkpEjAIgtxxUxKtl/WtgEPnQP5/+wLysDSYN5c8xRuMiWRSUKP2wokHALTkTA
BJurIlRJwpLBx2Tw2IZIKbFSIjU0CZqaeP4jIe3+nH2kE3ZrGDLZu8VR1k579fT5
1A0GtsKnaMM2y+F92PgGp+kqspPWzzRhaLWas0XK8jIudb4WelxxSceD3Yn+K9zP
768n8He68AHE5nMm0b2NWmgzeCBSVrJEUiHCXp2AEZGHl+PkoEK7pGktOogdYYei
iJQvkrN2v+4I3bVlc/5hkWKEN690Hgy+ewQuFQvpKSw3m0aNxmGzsbHTAnkpe57L
8l1svT68sqSJFuxhWL91Q6v49gDi+PHdF6PQEqN8TqTEJmz+/LyPfaqaL78WUk6v
f7husesRcQ5Pa+Mx1fKUs6GhhmQIjcd7zYd4poiRYK8NsSrvWngALjvp++7G6tNv
beaIc27O
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFcjCCA1qgAwIBAgIUejVCfc0PGTFPfFftNq0PKX27z3QwDQYJKoZIhvcNAQEN
BQAwOzELMAkGA1UEBhMCTkwxEDAOBgNVBAoTB09wZW5GU0MxGjAYBgNVBAMTEU9w
ZW5GU0MgUm9vdCBDQSAxMB4XDTI0MTIyMzExNDMwMFoXDTM5MTIxOTExNDMwMFow
QzELMAkGA1UEBhMCTkwxEDAOBgNVBAoTB09wZW5GU0MxIjAgBgNVBAMTGU9wZW5G
U0MgSW50ZXJtZWRpYXRlIENBIDEwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIK
AoICAQDN9IdF7peIIW9f8HMd6WaQ2b0yBpxNxpUyIbnmTIhJxYxTRRCl6JFjHG7t
tD0RGzeZ9WNVzo56XV03eXEhq8eph1Whash+OL1ayNrChl24PNK9SpDfiJbaATMR
3b33isTN3kDp+YT/rRSVALvkcSu1mrBHWaemVaaVJwtbJ5MA8fOLiJ/LPUlc7iIc
Z/XR+ZiMSsxJUIL56LaUvO6QzLsI1WF9mKII5xWlJ4DRcX5rZHk8uiPG3nCGdA7a
iOgiO6EJ7yXu4bnyfGtohhi1oy27gkJ5zWYpTJ4B+aLgBtX3dflF/4PmK9It+/Qj
5vp1i09Kbnv3An+feGK3HNwA/cDGHWLrSy/01/jBrZSYcXu5hxBnJEXuQUQo/x9J
i+Kx/sp5wmmFpl8H5FcAH9HgbfJ6abvFmRava9eQ+XdTiFD7VgcxbWVHeqiQ6J45
KKEYPSTBR+nencCfJt0JHSXdrZoOBAwJQbTl+YdRs2JKp/Lz+G70dZaqRZMmtWTb
8tdR/JxNZ01H0wb48zMmKifci2nGQ5iD3VxlLeMma337Urj/LrDKz5wB3n0R+L6I
51kxR6sptRqjUExvBD2W11BraEZ96J+kn+Ifr3aqTErnIg3AdIpvnJ5Nh781yRqH
/OzATb8hCskkgMKhnIZEP16lh68Zsp00DSFCSVQOg8veU49vEQIDAQABo2YwZDAO
BgNVHQ8BAf8EBAMCAYYwEgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHQ4EFgQU6KaK
k+SnMQYCQiSxsC1CeWIehCMwHwYDVR0jBBgwFoAUNp++WaiGcLDQxv9hLmqJgiqz
wKkwDQYJKoZIhvcNAQENBQADggIBAHDUzag4dD6RtM8+a7aWtxNSmAmShz7LF4Bm
tjn5E2f0AexeSn/w1snxRZZ/E6OLjIOneHx/bNXNVVsswDCINOOc86+qpQAdnFyN
DUD0+EuaOrolDUljpGtYr1t0sblxNGy1tERgNIrs4pOxXxZycypEaWb2re1g1Ezv
QdsQPdoW2VvPfNSv5682y4nWnqUOMeksiUcxhJelAMUTqZ/HcIQSe7NO3keaI7aB
0U89FVPqZmuvkE1jbtbWUeimX0D91+YPsRaDLadN3OJD8tg4+N+mPNCTK+ZCo3kK
YGoMuZIV8Y8pTBVJlrpluWE74o944rr4tBUCbTfw+I24d3cn6b4wr+Xa+FHCSE0r
xHkopyh//8JqzFxt+5O71hycow4AUxm4SUYe8XpVmmCf4fMuBo1oPnh0lq5BkZ36
Mx8UlwcYav50x/QvHg69aFj/kZ92JSR87jgG8bIPm9acQCcVOektvwjItDnskRIG
TvqP0wg4RFe5V6T0Me4BFWxNaHizyp4TTdalhGXdceB+4frNiSiGu+RdUwS4+DZF
vn5emhmx4nL/vGEZNSIByvn5wlgyrG4fQjA105TllkjQxrIpKxqEmV91BtWjbHzC
XkocOCLb+fGfcbdsdhxQxa+AotOZvlpqzERpwmhxXQlJ+pE3i84/iulbHwXbYeZo
RixaptOR
-----END CERTIFICATE-----

Configuration in the OpenFSC Helm charts

The certificate including the intermediates must be configured in the OpenFSC Helm charts for the Inway, Manager and Outway.

Below you will find the values per chart that are affected. Either certificatePEM or existingSecret contains the certificate including the intermediates. When both values are set existingSecret will be used.

Inway

certificates:
  group:
    certificatePEM: ""
    existingSecret: ""

Manager

certificates:
  group:
    peer:
      certificatePEM: ""
      existingSecret: ""
    token:
      certificatePEM: ""
      existingSecret: ""
    signature:
      certificatePEM: ""
      existingSecret: ""

Outway

certificates:
  group:
    certificatePEM: ""
    existingSecret: ""