Recently I came a across some MISP issues with Certificates with remote servers. Even it is okay with Test connection, if you try to push or pull events it will not do anything. Also logs will not tell you anything. If you run tcpdump to debug and watch in Wireshark you will see something like the screen shot.
Before adding it to the documentation of MISP, here is a brain dump what I did:
Scenario:
Server 1 – running MISP
Server 2 – running MISP
Server 1 wants to push events to Server 2
Server 2 has a TLS / SSL certificate signed by an internal CA. Because cakephp is not respecting the OS CA store. This needs to be done manually.
Looking up the certificate with full chain in Firefox will not reveal the FULL cert patch because it is not showing the ROOT CA.
What you need to do is create a new text file and add all public certificates to that file and save it as a .pem file (including the sign of the Root CA)
This pem file then needs to be added as certificate to the MISP Server config.
Within gitter we had a discussion why it is not okay to simply mark the „self signed“ box. It appears that certificates that are signed by a CA (and not signed locally) have several indications for such signatures:
#2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true ...
and
ObjectId: 2.5.29.15 Criticality=false KeyUsage [ DigitalSignature Key_CertSign Crl_Sign ]
Useful:
keytool -printcert -file certificate.pem
And:
openssl s_client -showcerts -connect server2:443