6:00 AM
El DiPablo
An issue came up the other day that frankly really isn't an issue. We had a client at my day job (that shall not be named) that ran an SSL Labs test against one of our sites and it came back with this message regarding the chain certificates:
 |
| Chain Issues Incorrect order, Contains anchor |
...It's not an issue in the sense that the anchor is not allowed, but that the extra certificate (which serves no purpose) is increasing the handshake latency. Some people care about that, which is why provide the information in the test.The solution is relatively easy if you are running an Nginx or Apache server, just don't include the root (aka anchor) certificate in your web configs, and only include the intermediate cert.
My problem was a little more complex because we use Imperva's Incapsula CDN/WAF service, so in order to upload a custom certificate you need to import a PFX file. If you export the PFX file from a Windows server, it typically includes all certificates in the chain.
If you opt to not include all certificates in the chain when exporting, then import that to Incapsula, then SSL Labs will cap your grade to a B because you are missing the chain certs... Kind of no win theater situation.
The solution? First you need to have OpenSSL installed in Windows, or you can do this on a Linux box. Do the following:
- Export your certificate to PFX format and don't include the chain certificates.
- Export your intermediate certificate in x509 format separately. Name the file intermediate.cer
- Put both files in a folder then run the following from a command prompt or Linux terminal in the directory containing your files:
openssl pkcs12 -in <domainname>.pfx -clcerts -nokeys -out <domainname>.crt
openssl pkcs12 -in <domainname>.pfx -nocerts -nodes -out <domainname>.key
openssl pkcs12 -export -out <domainname>_new.pfx -inkey <domainname>.key -in <domainname>.crt -certfile intermediate.cer
Be sure to replace <domainname> with whatever your original PFX file's name. You will be prompted for your export password after each command.
After this is done, you can import your <domainname>_new.pfx file to Imperva's Incapsula service (Or whatever load balancer/SSL offload device your using) and re-run your SSL Labs scan. Boom! The issue will be gone!
Like I said above, all of this is kind of unnecessary. Your website will work fine and not be any less secure if you have the root/anchor certificate in your chain. Still, if you are a stickler for details, or you have clients that want it done, now you know how to do it.
Did you have to do something different to fix your issue? Did this help? Let us know in the comments!
