Some Certificate Authorities (CA) do not issue their signed certificates with the entire certificate chain, assuming that the client application using the certificate will have the CA implicitly trusted, as is common in desktop and server environments. Because the Gateway appliance trusts no entity implicitly, it may be necessary to import the entire certificate chain from the CA, to its intermediaries, down to the client certificate.
If this is not done, connections initiated with the certificate will be considered "untrusted" by the end user because the client application will not be able to verify the certificate chain--even if the certificate is issued by a known certificate authority.
1. Collect all applicable certificates in PEM format.
2. Concatenate them in a single text file in order from the top of the file down:
Note: Do not remove the BEGIN CERTIFICATE and END CERTIFICATE demarcations from the certificates.
3. Log into the Layer 7 Policy Manager as an administrative user.
4. Open the Manage Private Keys task
5. Select the applicable private key.
6. Select "Properties."
7. Select "Replace Certificate Chain"
8. Navigate to the concatenated certificates.
9. Restart the Gateway appliance.
10. Verify the new chain with the following OpenSSL query:
openssl s_client -showcerts -connect gateway.domain.com:9443