BookmarkSubscribeRSS Feed

Completing the chain of trust for your SAS Viya deployment

Started ‎09-23-2022 by
Modified ‎09-23-2022 by
Views 957

SAS Viya offers a variety of different scenarios to secure your deployment using certificates. Depending on your requirements you can select the scenario that best fits your needs. Many great blogs have been written about this topic. If you are interested in reading about this topic, please have a look at these blogs:

 

In this blog I will write about my experiences with deploying SAS Viya using a certificate that is signed by a Public Certificate Authority (CA). If you are using self-signed certificates, there is not that much that can go wrong. However, using a certificate that is signed by a public CA can complicate matters because this usually involves intermediate certificates that are necessary to complete the certificate chain.

 

Make sure to complete the chain

An application that serves a certificate is responsible for sending the entire certificate chain. Meaning that it must send the server certificate and all intermediate certificates necessary to complete that chain. A problem that occurs when the chain is not complete, is that you get errors like x509: certificate signed by unknown authority.

 

When I deploy SAS Viya, I typically tend to verify my certificates by using my browser and opening an application like SAS Environment Manager. Problem with this method is that browsers tend to complete that certificate chain by using their own embedded certificate store. An incomplete chain will then show up as being complete in the browser. Hmm not a soundproof way to validate your certificates. But how can you make sure that the chain is valid? Before answering that question let’s first look at what the certificate chain of trust is.

 

The certificate chain of trust

When you visit an application like SAS Environment Manager via a secure connection, it will send the certificate back to the client. For the client to be able to validate that this is a trusted certificate it will try to prove that this certificate is from a trusted source by validating each certificate that is part of the chain of trust until the client finds the corresponding root certificate in its certificate trust store.  If the client is unable to find the corresponding root certificate in its trust store, then the certificate will not be trusted.

 

AlexKoller_2-1644231652876.png

 

Signs of an incomplete certificate chain

We established earlier on in this blog that using your browser as a client to check if the certificate chain is complete is not a soundproof method. Your browser will try to complete the chain without you knowing it. But how do I check if my certificate chain is complete you may as?

 

When you deployed SAS Viya using a certificate that is signed by a public CA you can check to see whether the chain is complete by doing one of the following:

  • Use curl from a linux machine and try to access one of the applications on the Viya environment
  • Use python to access one of the applications on the Viya environment

If in both cases, you end up with an error message like x509: certificate signed by unknown authority you know for sure that your certificate chain is incomplete. You may have missed a necessary intermediate certificate. Let’s see how we can solve that!

 

Let’s complete the chain

 When you generate a certificate signed by a public CA like DigiCert, they will provide you with a couple of files

  • <YOUR DOMAIN>.crt: this is the server certificate that you need for your Viya deployment
  • DigiCertCA.crt: this is the intermediate certificate that is necessary to complete the certificate chain of trust.

To complete the chain, you need to provide both the server certificate and the intermediate certificate to your Viya deployment. Luckily this is easy to accomplish. You can just concatenate the server certificate and the intermediate certificate into one file. However, you need to make sure that it is in the following order:

  1. Server certificate
  2. Intermediate certificate

Once you have concatenated the contents of both files into a new file then you can just follow the steps as described here. Make sure to point to the newly created file in the overlay and then deploy Viya.

 

Conclusion

In this article I’ve written about the certificate chain of trust. And how that chain becomes relevant once you are using certificates that are signed by a Public Certificate Authority in your Viya deployment. I wrote about your browser automatically completing this chain for you, and what signs to look for that you haven’t provided all the necessary certificates to complete that chain. Hopefully by reading this blog you will know what to do once you run into these issues!

 

Thank you for reading!

Version history
Last update:
‎09-23-2022 03:44 AM
Updated by:
Contributors

SAS Innovate 2025: Register Now

Registration is now open for SAS Innovate 2025 , our biggest and most exciting global event of the year! Join us in Orlando, FL, May 6-9.
Sign up by Dec. 31 to get the 2024 rate of just $495.
Register now!

Free course: Data Literacy Essentials

Data Literacy is for all, even absolute beginners. Jump on board with this free e-learning  and boost your career prospects.

Get Started

Article Tags