Configuration server with TLS, certificate signed by an intermediate CA

[gawix]

Hi,

TLS is enabled on our configuration server ("upgrade mode", but this isn't relevant).  The server certificate is signed by an intermediate CA.  Our admin insists that we must include the intermediate CA certificate and root CA certificate to our trust store (our client application uses Java PSDK).  We told him that he should rather put the CA certificates (root and intermediate) on the server side but he says that he can only put one certificate and not a list (the whole chain). I cannot believe that, it doesn't make sense to ask all clients to add intermediate CA to their trust stores.  For a self-signed certificate, it obvious but for a certificate ultimately signed by a root CA, it just can't be the case.

Is there such limitation with Genesys TLS support?

[cavagnaro]

I'd say it is a Java issue, not a Genesys one...you have an option for example on all domain PCs to add a trusted CA via domain policies, but in Java you don't have such option, having to add each new trusted CA into its security file...one by one...so as this new CA is unknown to Java to must indicate that you trust him

[gawix]

Any TLS server (WebServer, VPN, SSH, etc...) must provide 1) the server certificate and 2) the complete CA chain (all the CA certificates).  All those certificates are sent by the Server during the handshake.  Surely it is possible for Genesys servers to specify the CA chain somehow. The "trusted CA" field in "Network Security" section, maybe?