1. home icon for breadcrumbs >
  2. Certificate Support

Certificate Support

Cloud Agent installed on AIX may throw the following error for the certificate ca-bundle.crt when trying to communicate with the Qualys Enterprise TruRisk Platform. This happens when the certificate files are not present on the host asset, or the certificate files are present at the following default location.

/var/ssl/certs/ca-bundle.crt

Error Message: 

2017-09-26 06:45:09.499 [qualys-cloud-agent][28901532]:[Information]:Cert OS: AIX, CA 
path:/var/ssl/certs/ca-bundle.crt
2017-09-26 06:45:09.502 [qualys-cloud-agent][28901532]:[Error]:cloud-agent terminated: exception in 
main(): File not found: /var/ssl/certs/ca-bundle.crt

Error Details:

SSL CA cert (path? access rights?): error setting certificate verify locations: CAfile: /var/ssl/certs/ca-bundle.crt CApath: none
2025-06-30 10:37:55.540 -0400 [qualys-cloud-agent][6750580]:[Error]:[1800]:Http request failed:Problem with the SSL CA cert (path? access rights?): error setting certificate verify locations: CAfile: /var/ssl/certs/ca-bundle.crt CApath: none
2025-06-30 10:37:55.540 -0400 [qualys-cloud-agent][6750580]:[Error]:[1800]:Http request failed: error code: 0
2025-06-30 10:37:55.540 -0400 [qualys-cloud-agent][6750580]:[Debug]:[1800]:Setting Compression to: 1
2025-06-30 10:37:55.540 -0400 [qualys-cloud-agent][6750580]:[Error]:[1800]:CAPI request failed:
2025-06-30 10:37:55.540 -0400 [qualys-cloud-agent][6750580]:[Error]:[1800]:CAPI event failed

To fix this issue, you must manually install the certificate files in the appropriate location on the host asset. You can either use the certificate files from your existing RHEL or CentOS assets or download the certificate files from the following location: Extract CA Certificates

  1. Run curl command from Linux machine:
    curl --remote-name --time-cond cacert.pem 
    https://curl.se/ca/cacert.pem
  2. Rename curl output from cacert.pem to ca-bundle.crt.
  3. Copy the certificate file as ca-bundle.crt at the following default location on AIX: /var/ssl/certs/
  4. If you want to use a non default location, ensure that the directory path is added in the /etc/opt/qualys/cloud-agent/qagent.config and set AIX path to /var/ssl/certs/ca-bundle.crt in the following manner:

     "os": "AIX",
     "cafile": "/var/ssl/certs/ca-bundle.crt"
    }

    For agent version 1.6, the qagent.config file is located at /etc/qualys/cloud-agent/qagent.config.

  5. Create a symbolic link to the ca-bundle.crt hash. To learn more about creating symbolic links, refer to the IBM AIX: Import CA certificate.

    OpenSSL and some AIX utilities look for certificates via these hashed filenames when verifying certificate chains.

  6. If you are manually adding the certificates (e.g., a CA bundle or root CA), perform the following actions:

    Run the following command to print the hash string:
    openssl x509 -noout -hash -in /var/ssl/certs/ca-bundle.crt

    For example, the above command generates a has string 9d66eef0. This string is used for creating a symbolic link in 
    -s ca-bundle.crt <hash>.0.

    The AIX/OpenSSL use this symbolic link for for certificate verification.
    For example, -s ca-bundle.crt 9d66eef0.0

  7. Now restart the QAgent Service using following command:
    /opt/qualys/cloud-agent/bin/qcagent.sh restart
  8. Check logs for any SSL/cert issues
    tail -f /var/opt/qualys/qualys-cloud-agent.log

© 2024 Qualys, Inc. All rights reserved. Privacy Policy.