Setting up the certificate authority (CA) certificates in /etc/vx/vvr/cacert.pem

The /etc/vx/vvr/cacert.pem file must include the CA certificate.
In case of self-signed node certificates, the /etc/vx/vvr/cacert.pem file should include the certificates from each of the signing nodes. In case of a root CA-signed certificate, this file should include the certificate issued by the root CA.
However, there may exist a chain of CAs where one or more intermediate CAs are trusted by the top-most root CA to sign certificates on their behalf. In such cases, you must perform the following steps to set up the certificates under /etc/vx/vvr/cacert.pem.

1. Obtain the certificates from all CAs in the chain of trust up to the top-most root CA.
2. Copy the certificates of the complete chain of CAs.
   If a node certificate is signed by an intermediate CA (CA3) under a chain of CAs—for example, Root CA > Intermediate CA1 > Intermediate CA2 > Intermediate CA3—the certificates should be added or appended to the cacert.pem file in the following order:
   1. Intermediate CA3 certificate
   2. Intermediate CA2 certificate
   3. Intermediate CA1 certificate
   4. Root CA certificate

Note: Do not add the node certificate to this list because it is already included in the /etc/vx/vvr/cert.pem file.

3. Ensure that the certificates of all CAs in the chain, including the root CA, are installed and present under the list of trusted CA certificates on each node.
4. Validate the certificates and the basic OpenSSL connections with the updated certificate files using the standard OpenSSL commands.
5. Verify that the VVR daemon SSL connections are done by using the messages logged in the daemon log files.