The CA certificate is optional, but you can configure it as the ConfD UG chapter “Storing TLS data in database” states. See also the confd.conf(5) man page under /confdConfig/webui/transport/ssl/caCertFile.
An example that does mutual authentication with readFromDb set to true in confd.conf. Seems like you are only interested in the first part, i.e.server authentication:
Note that the options keyFile, certFile, and caCertFile, are ignored when readFromDb is set to true. See the example and the confd.conf(5) man page for more details.
I only want client authentication to happen. I have got root certificate which signed the intermediate certificate which in turn signed the server certificate.
I have installed the root certificate in the client side. In the server side, I have installed all the certificates. I want the server to send the intermediate and end certificate to the client so that the entire chain gets sorted.
I use the below parameter to configure the server certificate.
I have gone through the man page and found that the below parameter is used for client authentication. /confdConfig/webui/transport/ssl/caCertFile .
I want to configure the intermediate certificate for server authentication only.
The server authentication is always done first. I.e., the client authenticates the server certificate that ConfD provides. In the same TLS message, if ConfD is configured to authenticate the client, a CertificateRequest with the list of acceptable CA certificates is passed to the client by ConfD before it sends its client certificate for client authentication.
As the confd.conf(5) man page states. The list of certificates in /confdConfig/webui/transport/ssl/caCertFile is included in the list of acceptable CA certificates passed to the client when a certificate is requested.
Did you “concatenate” the certificates similar to what is described here?:
Have you tested with /confdConfig/webui/transport/ssl/readFromDb set to true as the example I pointed to does and added the certificates to CDB under the /tls/certificate leaf, the /tls/private-key leaf, and the /tls/ca-certificates list?
As you can see in that example, the list of acceptable CA certificates is stored in a list with a name (string) identifying each certificate. In the example, there is only one CA certificate, called “rsa-1”, in that list, but you can add as many CA certificates as you wish.
Sorry I got one part of the question wrong. I am interested only in the server authentication part. I just want the server to send the intermediate certificate which signed the server certificate to the client.
The confD version I am using is 6.5.5.
I have tried setting the readFromDb entity as true, but still the intermediate certificate isn’t sent.
When I checked the yangfile, there is no readFromDb entity.
I have got a couple of questions.
1)Can /confdConfig/webui/transport/ssl/caCertFile be used for sending the intermediate certificates which signed the server certificate or it can only be used for mutual authentication?
2)Is readFromDb entity supported in 6.5.5 version.
3)For sending the server certificate, I am using the below configs.
<keyFile>(path of keyfile)</keyFile>
<certFile>(path of server certificate)</certFile>
<protocols>tlsv1 tlsv1.1 tlsv1.2</protocols>
After that using maapi_set_elem2 function to configure the certFile with the path of certificate.
Could the same process be used to set the caCertFile with the path of intermediate certificate too? I have tried the same process, but it doesn’t work.
I tested successfully with ConfD 8.0.6, released June 2023. Not sure what works with ConfD 6.5.5 (March 2018).
Server only or mutual authentication is controlled by the confdConfig/webui/transport/ssl/verify parameter in confd.conf.