Unable to connect to the SCMB server using a CA-signed client certificate

Symptom

After creating a CA-signed client certificate, you are still unable to establish a connection to the SCMB server.

Solution 1
Cause

The client certificate is not signed by a Certificate Authority (CA) that is trusted by the appliance.

Action
  1. Verify the CA that signed the client certificate using the following command: openssl verify -verbose -CAfile ca.pem cert.pem
  2. Ensure the CA root and intermediate certificates listed are trusted by the appliance by going to Settings > Security and checking the list of trusted CAs.
  3. If the CA you used to sign the client certificate is not present, add the CA to HPE OneView.
Solution 2
Cause

Root CA certificate or intermediate CA certificates used to sign the SCMB server certificate are not included in the CA certificates file used by the client.

Action
Ensure the CA certificates file used by the client includes the root certificate and any intermediate CA certificates that signed the SCMB server certificate.
Solution 3
Cause

Intermediate CA used to sign the client certificate is not included in the CA certificates file used by the client.

Action
Ensure the CA certificates file used by the client includes the intermediate CA that signed the client certificate.
Solution 4
Cause

The client certificate uses a Common Name other than rabbitmq_readonly.

Action
  1. Use this command to display the certificate attributes: openssl x509 -noout -text -in cert.pem
  2. If the client certificate has a Common Name other than rabbitmq_readonly, create a new client certificate. The Common Name for the client certificate must be set to rabbitmq_readonly, since the SCMB server is configured to accept connections from this user.
Solution 5
Cause

The CA chain contains more than nine intermediate certificates, NOT including the Root CA (Root CA > Intermediate 1 > Intermediate 2 > ... > Intermediate 8 > Intermediate 9).

Action
HPE OneView is only capable of supporting up to nine levels of CA chains. Trim the lowest levels of the CA chain so it contains less than nine levels.