SSL chain of certification not working for a self signed certificate

0
votes

A customer has given us 3 certificates, which were installed on a windows server in the order and :

  1. Issued by Verisign, for Symantec (certificate only, installed as intermediate)
  2. Issued by Symantec, for CompanyX (certificate only, installed as intermediate)
  3. Issued by CompanyX, for CompanyX (certificate and key, installed as Personal)

In mmc, when I inspect #2, I can see the chain as:

Verisign (root) -> Verisign (intermediate) --> Symantec (intermediate)

When inspecting #3 (the self signed certificate), there is no chain. There's only CompanyX.

Seems like windows is failing to establish the chain between the last intermediate and the self signed certificate, so when clients connect to the web server, they see a self-signed or untrusted certificate warning, presumably because the server is not publishing the intermediate certificates.

I've already verified that common names match exactly, and repeated the installation procedures a few times. Did I do something wrong installing the certificates? Am I missing something?

2
ssliiscertificatessl-certificateself-signed

2 Answers

0
votes

Certificate #3 is not a part of certificate issued by VeriSign. It can be a dummy certificate for incomplete request copied from node (in the Certificates MMC). If this is the case (compare public keys or Subject Key Identifier extension value) of both, #2 and #3 certificates. If they match, move certificate #3 to Certificate Enrollment Requests node.

What your customer needs to do is to go to the machine where original request was generated (I would suspect that on IIS server) and attempt to properly install the issued certificate by running the following command:

certreq -accept path\certNo2.cer

if the command succeeds, the certificate will be automatically installed in the Personal store. If the command fails, customer must find the machine where request was generated and run the command above.

0
votes

Just for the record and possible future searches, here's how I solved it:

Since both #3 and #2 have the same subject (and public key), and I had the private key for #3 but not #2, I wanted to try the #3 private key on the #2 certificate, so:

  1. Extract the key from #3 with openssl pkcs12 -in Cert3.pfx -nocerts -nodes. Where Cert3.pfx is #3 certificate with key, and which creates a new Cert3.key file with only the private key.

  2. Merge the #2 certificate with the extracted key with openssl pkcs12 -export -out 'NewCert2.pfx' -inkey Cert3.key -in Cert2.cer. Where Cert2.cer is #2 without key, and creates NewCert2.pfx with #2 cert and #3 key merged.

  3. Deleted #3 from the Personal store and deleted #2 from the Intermediate store.

  4. Imported the new merged #2 into Personal store.

  5. Updated IIS bindings for the new certificate.

The result is using #2 as SSL certificate, already tested with SSL-Checker and everything is working fine.