Product Documentation

Appearance

7.1.2
7.0.2
6.9.3
5.4.17
5.2.31
All platforms

Obtaining a Certificate Chain

If you require certificates to be included in your root cert file and your DBA or IT staff has not provided them, you can often import them yourself by using a web browser or the openssl application. If you do this, keep in mind that while it does no harm to include them, you do not need to include the leaf certificates in the file. You only need the intermediary certificates and, for ybsql connections, root certificates.

Import the chain of trust certs using a browser

Firefox has the most convenient interface for importing certificates to a file because it has an option to generate the entire certificate chain with a single click.

  1. Click the lock icon next to the URL for the Yellowbrick Manager login, then click the Connection secure expansion arrow.
  2. Click More Information to go to the "Page Info."
  3. Click Security, then View Certificate to see the certificates in the chain of trust.
  4. Click the PEM (chain) link, which generates the certificate bundle for the entire chain of trust.

In other browsers, the steps are similar but you may have to repeat them for each certificate in the chain (unlike Firefox, where you can generate the entire certificate chain at once).

Using an openssl Command to import a certificate

To show all certificate information, including the metadata, echo the results of an openssl command. For example:

$ echo -n | openssl s_client -connect ************.yellowbrickcloud.com:443 -showcerts

In place of ************.yellowbrickcloud.com, substitute your Yellowbrick instance name, as copied from the Yellowbrick Manager Dashboard.

The following openssl command shows how to import the trusted certificate for an instance and save it to a .pem file:

% openssl s_client -servername ************.yellowbrickcloud.com -connect ************.yellowbrickcloud.com:443 
</dev/null | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' >cacert.pem
depth=2 C = US, O = Internet Security Research Group, CN = ISRG Root X1
verify return:1
depth=1 C = US, O = Let's Encrypt, CN = R3
verify return:1
depth=0 CN = ************.yellowbrickcloud.com
verify return:1
poll error%

Check the contents of the .pem file:

% more cacert.pem
-----BEGIN CERTIFICATE-----
MIIFbDCCBFSgAwIBAgISAz9hxAT2s+dCrx6C4bbW0NHpMA0GCSqGSIb3DQEBCwUA
MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
EwJSMzAeFw0yMjA4MDIyMDQ0MDNaFw0yMjEwMzEyMDQ0MDJaMD4xPDA6BgNVBAMT
M2JvYnItaW5zdDEtMDgwMjIyLjk4NzZyYjIyLmRldi55ZWxsb3dicmlja2Nsb3Vk
LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANJMz56R9JSDWODX
bx4qBX2cvr7yHI8RrGYtFathJ1dq+wXcF8TeR+vm2rto0ncoqfhXKV8WFc6PypmS
+ps0XrT7uEkUgW0/R4ZS5X9f5mfxNJ5lov6rKkxzJqc7+YuCi8Ydb59xt0sdcVzt
bekOpx4WtJFRUbjFj1V2JRpyOdPxlDQIAeWbUrAQBRBlgliXSWYmA8gk0sW0COkM
p04QSFQTerUsNuRUvH00nyS0l016SgBVWk16q1GGlnEd7uJpHvY1DJj7TrD0dcNQ
CK7Rnl1gtL9ZksZA/izCpKcuBMZVhpqnHRoGp00LdKpxy+EscQtq31lO8Fp0psv7
stNV9JECAwEAAaOCAm4wggJqMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggr
BgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQUOuOh0v+J
nAzohypaHsQiznpp/PowHwYDVR0jBBgwFoAUFC6zF7dYVsuuUAlA5h+vnYsUwsYw
VQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8vcjMuby5sZW5jci5v
cmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9yZy8wPgYDVR0RBDcw
NYIzYm9ici1pbnN0MS0wODAyMjIuOTg3NnJiMjIuZGV2LnllbGxvd2JyaWNrY2xv
dWQuY29tMEwGA1UdIARFMEMwCAYGZ4EMAQIBMDcGCysGAQQBgt8TAQEBMCgwJgYI
KwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0c2VuY3J5cHQub3JnMIIBBAYKKwYBBAHW
eQIEAgSB9QSB8gDwAHcA36Veq2iCTx9sre64X04+WurNohKkal6OOxLAIERcKnMA
AAGCYIQOYgAABAMASDBGAiEAsjbYmBOx9bDxWlmC2BOcghE9MNs+UsjsMUZQsDAU
IfICIQD5JfSX8IGr2aahOI5IFOdEf+l1pw9cBpjHt+JYbADNEAB1AEalVet1+pEg
MLWiiWn0830RLEF0vv1JuIWr8vxw/m1HAAABgmCEDqIAAAQDAEYwRAIgbbFIyfiv
gt9FxQvPNINUBoj4jV4+gwW5tCfsgtPkBHkCIApckKCAXUK0C/DWpgSDgEeMm2Jx
NMj6UBMxvC2xT7ztMA0GCSqGSIb3DQEBCwUAA4IBAQBUwQ9ZgjUKwMTHIZdGPLdX
Gf48W9u3ywlHPSvjaQtiWqtuN7EiO5LNIVHjei/fRjLYo7Jq8GX0ko/p7d43n4tJ
IflKPbAHcIyO/vQ9D6t7PTctpKQV+AMwY2vxRgHoHigNPopFxydzNL2ciUt58HXp
0rZIJyKKqyoJrTHFRGDeU/FI7WlpkTVIXtKwNxXYXJCGD34tnvz/G5WIjyvw4gjh
tyrqD9b5K7Dx33cAN2p4kUsls1FvDz/xvVMJJdYS/gsZIY9tLAAX08W89MZ966G9
JY+yIaemJynh7yJTlxTQWaI9eZURKeX9YmtCmA+m/FC3rQ0f7qC7GRb6q8/P0Z3y
-----END CERTIFICATE-----

Using an imported .pem file with the --cacert option in ybtools

In turn, you can pass an imported .pem file name in as the value for the --cacert option in a ybtools command. For example, this ybload command makes a secure connection:

% ybload -t premdb.match --format csv -W --secured --cacert cacert.pem /mydata/premdb/match.csv   
Password for user trebor@yellowbrickcloud.com: 
16:19:49.087 [ INFO] ABOUT CLIENT:
   app.cli_args         = YBHOST=<HOSTNAME> (from ENV_VAR) YBDATABASE=premdb (from ENV_VAR) YBUSER=<USERNAME> (from ENV_VAR) --secured --cacert=******** -t premdb.match --format csv -W SOURCE=<FILENAME>.csv (from CLI)
   app.name_and_version = ybload 6.1.0-a8363f32.1792
...