PKCS#12 fullchain export: omit the self-signed certificate?

[harridu]

AFAICS PKCS#12 export includes either all involved certificates (including the intermediate certificates and the self-signed root certificate) or just the client certificate. I am not sure if including the self-signed root certificate in the chain is a good idea. The peer is supposed to trust this certificate, It is already known.

One could say "it doesn't hurt", but does it? IMHO this is just asking for troubles. Would it be possible to optionally create a *.pfx file with all certificates but the self-signed root cert, similar to the chain.pem or fullchain.pem for certs created via letsencrypt?

I suspect that Dell's iDrac cards cannot handle chains with self-signed root certificate inside on a certificate upload, but I am still investigating.

[harridu]

Confirmed; the idrac tool "racadm" complains about the self-signed certificate in the chain. Running racadm after uploading key and certificate chain exported from xca I get a message

% racadm -r idrac -u root -p 'secret' racreset
Security Alert: Certificate is invalid - self signed certificate in certificate chain
Continuing execution. Use -S option for racadm to stop execution on certificate-related errors.

Its just a warning, though.

[harridu]

Do you think this could be implemented for 2.6?

[chris2511]

I don't know the racadm tool, but I don't think that removing the CA cert from the PKCS#12 helps. I had a look at https://downloads.dell.com/manuals/all-products/esuprt_software/esuprt_remote_ent_sys_mgmt/esuprt_rmte_ent_sys_chassis_mgmt_cntrllr/dell-chassis-mgmt-cntrllr-v1.0-pedge-vrtx_reference%20guide_en-us.pdf

self signed certificate in certificate chain usually means self signed certificate that I don't know in certificate chain

Does the command racadm sslcertview -t 2 display the xca CA certificate? If not, you may want to install it with racadm sslcertupload -t 2 -f xca-ca.pem