openssl certificate chain - windows



  • I have a ROOT_CA and a subCA. The subCA issued a certificate for a website (CUPS1.local). Moreover I have Windows clients; the ROOT_CA is already installed as Trusted Root Certification Authorities.

    Validating the subCA works using openssl verify and also I can see it in Windows.

    I can also verfiy the certificate for CUPS1.local in openssl via

    openssl verify -CAfile /etc/certs/cacert.pem -untrusted subCA_websites.crt cups1.crt
    cups1.crt: OK
    

    Moreover, if I create a chain the certificate is also OK

    cat /etc/certs/cacert.pem subCA_websites.crt > chain.pem
    openssl verify -CAfile chain.pem cups1.crt
    cups1.crt: OK
    

    Now, I also want Windows to see these certificates as valid. And here is the problem: Windows does not see the certificate chain:

    without SUB_CA certificate

    However, after installing the certificate of the subCA, the certificate for CUPS1.local is valid.

    enter image description here

    Hence, maybe I misunderstood some basics: Do I need to install the certificate of every subCA as Trusted Root Certification Authorities? Is there another way to implement the certificate chain into the certificate for CUPS1.local, such that I only need to install the ROOT_CA and not all the subCAs?

    Short update: Well, since the certificate was intended for a website (CUPS server) the chain works by combining:

    cat cups1.crt subCA_websites.crt /etc/certs/cacert.pem > chain.crt
    

    When I add this chain.crt to the CUPS server (and also the key-file), I can open the website without error message. I do not need to install the subCA certificate, only the ROOT_CA is fine.

    Anyway, out of curiosity I would like to understand if windows can also somehow read the chain?



  • Anyway, out of curiosity I would like to understand if windows can also somehow read the chain?

    There is no "somehow read the chain". Either it has the necessary chain certificates or it does not. It can have the certificates if they are provided up-front (i.e. installed locally) or if they are provided during verification. The latter is the common case, i.e. it is expected that the web server actually provides all necessary chain certificates along with the server certificate during TLS handshake.

    If the chain certificates are missing some implementations might try to fill in the missing chain certificates for validation. For example Firefox caches chain certificates seen on past websites and then tries to use these cached certificates to fill in missing chain certificates. This works pretty well for public websites since the trusted root CA only use a small set of chain certificates. Chrome also tries to extract the URL of a missing chain certificates from Authority Information Access | CA Issuers information in a certificate and then loads missing issuer certificates from the given URL.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2
  • 2