Need to trust intermediate in addition to root certificate

[markbeazley]

I've set up a step ca following the getitng started guide, with a root and intermediate CA, storing the keys in Google Clound KMS, and it mostly seems to be working I've been able to issue a certificate and have it trusted by my browser using the simple test Go webserver fine, but I've been having trouble using a cert wit hMicrosfot SQL server 2022 running in docker on linux, the server logs show it loads the cert and key correctly, but any clients fail to connect with errors about the chain.

After several days of testing, it seems I need to install the Intermediate CA certificate into the client computers trust store, is this normal for some software, or is this an indication my intermediate CA hasn't been signed correctly?

[hslatman]

Hi @markbeazley, generally speaking it's the responsibility of the server process to return the leaf + intermediate(s) when a client tries to connect. In this case it sounds like SQL Server isn't returning the intermediate, and thus the clients connecting to it can't make the complete chain.

It's possible there's some additional configuration needed on the SQL Server side to include the intermediate. I did a quick search, but I didn't find a configuration for that yet, though. I did find https://dba.stackexchange.com/questions/128148/sql-server-doesnt-send-intermediate-ssl-certificates, which seems to suggest installing/using the intermediate on the client too.

If you don't want to install the intermediate, you could try signing a certificate for SQL Server using the root private key and certificate directly. You can't do that with the online step-ca, but you can do so using step certificate create -ca /path/to/root_ca.crt --ca-key /path/to/root_key --profile leaf .... The result would be that there's no intermediate required to form a chain, and then your client will only need to know about the root.

That said, it's not unheard of that intermediates need to be installed on the client. It's not the most common practice, but it just so happens that some systems don't do the correct thing. So it's OK if SQL Server doesn't have a way to include the intermediate in the chain and you don't want to sign using the root certificate directly.

[markbeazley]

Hi @hslatman, thanks. Yeah I had a feeling it was down to SQL server being wierd, but wanted to make sure I wasn't missing something obvious with my step ca set up. Was just going round in circles and using TLS with SQL server in a linux docker container doesn't seem to be widely documented/supported, and most tutorials/guides I found need you to be using the windows UI tools to configure TLS.

[hslatman]

I can imagine SQL Server might return the intermediate if it runs on Windows, and the intermediate being stored in the user/machine certificate store intended for intermediates. But running it on Linux doesn't provide that standard store.