After further investigation with a PKI expert, we have come to the following conclusion:
1- It is normal that ocsinventory-agent can send its inventory without a local copy of the server's certificate validation chain (the so-called "cacert.pem") because (1) we are not using a self-signed certificate, and (2) Apache is configured to send the certificate validation chain to the client upon connection. With this configuration, the agent validates the certificate validation chain given by Apache up until the root certificate which is part of the OS.
2- For the same reasons, ocsinventory-agent should be able to download packages without a local copy of the server's certificate. We assume there's a bug in the part of the code doing the download.
These conclusions hold only for the Unified Unix Agent; We don't know how ocsinventory-agent behaves under Windows.
After further investigation with a PKI expert, we have come to the following conclusion:
1- It is normal that ocsinventory-agent can send its inventory without a local copy of the server's certificate validation chain (the so-called "cacert.pem") because (1) we are not using a self-signed certificate, and (2) Apache is configured to send the certificate validation chain to the client upon connection. With this configuration, the agent validates the certificate validation chain given by Apache up until the root certificate which is part of the OS.
2- For the same reasons, ocsinventory-agent should be able to download packages without a local copy of the server's certificate. We assume there's a bug in the part of the code doing the download.
These conclusions hold only for the Unified Unix Agent; We don't know how ocsinventory-agent behaves under Windows.
HTH,
Cyrille