SSL Certificate with Single-Tier PKI (only root CA in intermediate)

iwitschi · March 19, 2026, 3:03pm

Hi
FMS seems to accept an intermediate certificate containing only and directly the root CA. This is possible e.g. when MS AD issues certificates for internal use.

I wonder if Otto Deploy accepts this likewise. The server connection error Error: unable to verify the first certificate still occurs in such a configuration while FMS accepts the certificate files.

Can somebody say something about this? What exactly needs to be provided in a single tier PKI in a internal network with Windows hosts?

iwitschi · March 19, 2026, 4:03pm

/OttoFMS/config/.env
NODE_EXTRA_CA_CERTS=/path/to/your/root-certificates.pem

is this needed if the root certificate is visible in the host certificate manager?

kduval · March 19, 2026, 4:18pm

Yes, the certificate config is required if the certificate is from a non-standard CA. OttoFMS is using Node.js which uses a built in CA list, so CAs are not loaded from the host (unless you’re running on Mac). For Linux and windows you would need the setup you described and described in the custom cert docs.

Let me know if you have any issues with it!

-Kyle

iwitschi · March 19, 2026, 5:37pm

great answer, I’ll check it out,
thanks

iwitschi · March 24, 2026, 4:07pm

Yes, it works. Great, thank you!

Hint: on Windows it’s hard to rename a file to .env → just save it from a text editor with this name