I have installed a ssl certificate via WHM on one of my domain. Site is working with https://xyz.com.
However it is not working with https://www.xyz.com. I have checked the certificate and it is for www version as well. After some research it appears to be incomplete chain issue. I had no idea how to resolve this. Please help.
A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. But some clients (mobile browsers, OpenSSL) don't support this extension, so they report such certificate as untrusted.
You can solve the incomplete certificate chain issue manually by concatenating all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. Note, the trusted root certificate should not be there, as it is already included in the system’s root certificate store.
You should be able to fetch intermediate certificates from the issuer and concat them together by yourself. I have written a script to automate the procedure, it loops over the AIA extension to produce output of correctly chained certificates. https://github.com/zakjan/cert-chain-resolver
Related
I am using zerossl.com website to generate an SSL certificate for my website developer.norght.com
I successfully downloaded and installed a certificate from the zerossl.com website as per their documentation. And I am able to access https://developer.norght.com securely on my devices.
My Hosting Account's SSL tab which also indicates that certificate installed successfully as below:
Now my problem is:
When I check my SSL certificate using different platforms, they are showing me this error that my certificate is not trusted on all browsers!
SSL Hopper reference:
SSL Labs reference:
I tried to troubleshoot the issue using this article https://zerossl.com/help/troubleshoot/missing-intermediate-certificate/ provided by zerossl.com but found no luck. I even try to re-install certificate, private-key, ca-bundle file but still getting the same error.
So, I search for a further tool that can help me to solve the issue on https://whatsmychaincert.com/?developer.norght.com this website. They are providing me the chain which I should use as ca-bundle, I tried that too!
I tried every solution I found around but none of them is able to solve my problem.
Anyone here if helps me with this issue it would be much-appreciated pals.
I'm aware that this question was asked about 6 months ago. So, in case you're still searching for the solution, you might wanna try the following:
Copy the ca-bundle content (cert) and paste it after your domain cert in the Certificate (CRT) field.
Yes, this means that there are 2 certs in your CRT field (domain and ca-bundle) as example below:
Certificate (CRT)
-----BEGIN CERTIFICATE-----
(domain cert)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(ca-bundle cert)
-----END CERTIFICATE-----
If this works, it's just how the cert is installed at your hosting provider.
The root cause is that the root certificate for certificates issued by zerossl.com is not included in well-known web browsers (such as Chrome and Firefox) by default as a "trusted root certificate". Therefore, you have to install the root certificate manually. This means that you have to ask everyone who wants to access developer.norght.com to install the root certificate into their web browsers manually.
If you want to enable people to access developer.norght.com without installing the root certificate manually, you have to use other certificate issuer (not zerossl.com) that can issue certificates whose root certificate is installed in well-known web browsers by default.
As the diagram below from "Illustrated X.509 Certificate" tells, the origin (i.e. root certificate) of a certificate chain must be installed in advance.
I'm new to site encryption and looking to expend my knowledge about certificates
while surfing online , I've stumbled on this site
when looking on its cert chain it looks legit :
but ... when I capture my SSL handshake with it , one of the certificates is missing :
my question(s) are :
1) how come browser sees cert chain depth 3 with all the details while Wireshark doesn't ?
2) how is it legit the the root issuer is not part of the chain ??
I've tested it using Chrome and Explorer
what am i missing here ?
how come browser sees cert chain depth 3 with all the details while Wireshark doesn't ?
The browser shows the trust path to the locally stored root CA, including this root CA. wireshark showed the certificates sent by the server. While the leaf certificate will be the same the intermediate certificates (and root) might differ depending on what certifaces are trusted by the browser already.
how is it legit the the root issuer is not part of the chain ??
The idea of certificate validation is that you never fully trust the peer, because the peer might by lying to you. Instead you have some local CA certificates (trusted root) and build a trust chain from these to the leaf certificate sent by the server. Only if this trust chain can be build the browser will believe that the server certificate is trustable. This means it is not only legit that the server does not send the root certificate but it is actually wrong if the server includes the root certificate in the chain. It should not harm much though because browsers will simply ignore this useless certificate.
I'm using jelastic to run my application. When I run the sslchecker on the site, I get an error about You may need to install an Intermediate/chain certificate to link it to a trusted root certificate.
In the Jelastic Custom SSL configuration, I have added the intermediate certificate. I have 2 of those. How can I install both. Right now There is only a option of installing one intermediate certificate. But according to Comodo's installation instuctions I need to install both the certificates. How can I do that.
Usually root certificate is not needed because it already exists in all web browsers. But sometimes, in case when web-browser is not used for communication, the root certificate should be present. For example when java application communicates with another application or java-client using trusted connection.
In this case instead of intermediate certificate should be uploaded chain of intermediate+root certs.
It is very easy to merge 2 or more certs. Open two intermediate certs using text editor. Copy root cert and past it to end of intermediate as on screenshot.
During SSL handshake, the browser downloads any intermediate certificate from the host web server using the URL provided if needed. I believe browser comes with the pre-installed certificates from public CAs having only the public key of the root certificate.
1) When calling a https url using a standalone java program [https://xyz.com ..which is using Verisign certificate], i do not need to add that Certificate to any truststore since its root public is already available in jdk's cacerts truststore file. Is this correct statement?
2) When i run the same program from application server, it requires to add all the intermediate certificate to server truststore individually. Why this works in different way.
If the trust chain for the servers certificate is: root-intermediate#1-intermediate#2-server and the client (browser) has root as trusted CA in its CA store, it needs a way to verify the servers certificate by checking the complete chain up to the root. And because the client usually has no knowledge of the intermediate CAs the server needs to provide them.
Sometimes it seems to work w/o providing these intermediate CAs. First, the browsers usually cache the intermediate CAs they got and thus if intermediate#2 is the same as already seen by another server the verification will succeed, but only for the clients who visited the other server before :(
Another way is to provide a URL inside a certificate, where the issuer certificate can be downloaded, e.g. server could provide a link to the certificate for intermediate#2, intermediate#2 could provide a link to intermediate#1. In this case the client could download the missing certificates. But, this features is not universally adopted, e.g. some browsers might provide it but SSL libraries outside of the browsers usually don't.
When generating a self-signed certificate using keytool, can I use an IP address for the Common Name?
Once I generated the certificate, I exported it so I can install it in my clients/browsers. In Windows, I ran mmc.exe and added it as a Trusted Root Certificate Authority.
However, when I navigate to the IP address in my browser, it is still an untrusted connection. I ensured Tomcat had all the correct Connector settings.
Am I doing this correctly? do I need to be my own CA? How can I use SSL for development purposes? I'm still trying to understand SSL completely.
First question: if you'll be connecting by IP, then yes.
Second question: No, you don't install your self-signed certificate as CA, you just add exception when your browser warns you that it's self-signed.
You can set up CA — you generate root certificate first, install it in the client, and then generate CSR and then server certificate from it (see e.g. this), but for development purposes this is a complete waste of time.