SSL handshake fails with - a verisign chain certificate - that contains two CA signed certificates and one self-signed certificate

Question

I am stuck with a issue and trying to debug it  We purchased a Verisign certificate  When we use   openssl gt  s client -connect myweb com 443 -showcerts   SSL Handshake never completes and at the end we see error   Verify return code  19  self signed certificate in certificate chain    It shows 3 ---BEGIN END CERTIFICATE--- tags  Two certificates in chain are Verisign signed but one is self signed    If someone can please explain how this self-signed certificate shows up in a CA signed certificate  Is this error 19  self signed certificate in certificate chain  benign  If not  what could be causing it   Client has the CA certificate in trusted store but there is nothing for the self-signed certificate  Do you think that could be causing problem  If yes  how do I    How can I get rid of the self-signed certificate from the chain certificate leaving behind only 2 CA signed certificates in chain  Add this self signed certificate on client trusted store

User · Answer

Root certificates issued by CAs are just self-signed certificates (which may in turn be used to issue intermediate CA certificates). They have not much special about them, except that they've managed to be imported by default in many browsers or OS trust anchors.

While browsers and some tools are configured to look for the trusted CA certificates (some of which may be self-signed) in location by default, as far as I'm aware the openssl command isn't.

As such, any server that presents the full chain of certificate, from its end-entity certificate (the server's certificate) to the root CA certificate (possibly with intermediate CA certificates) will have a self-signed certificate in the chain: the root CA.

openssl s_client -connect myweb.com:443 -showcerts doesn't have any particular reason to trust Verisign's root CA certificate, and because it's self-signed you'll get "self signed certificate in certificate chain".

If your system has a location with a bundle of certificates trusted by default (I think /etc/pki/tls/certs on RedHat/Fedora and /etc/ssl/certs on Ubuntu/Debian), you can configure OpenSSL to use them as trust anchors, for example like this:

openssl s_client -connect myweb.com:443 -showcerts -CApath /etc/ssl/certs

User · Answer

About the server can deliver to the clients the root cert or not  extracted from the RFC-5246  The Transport Layer Security  TLS  Protocol Version 1 2  doc it says      certificate list         This is a sequence  chain  of certificates   The sender s         certificate MUST come first in the list   Each following         certificate MUST directly certify the one preceding it   Because         certificate validation requires that root keys be distributed         independently  the self-signed certificate that specifies the root         certificate authority MAY be omitted from the chain  under the         assumption that the remote end must already possess it in order to         validate it in any case    About the term  MAY   extracted from the RFC-2119  Best Current Practice  says      5 MAY    This word  or the adjective  OPTIONAL   mean that an item is    truly optional   One vendor may choose to include the item because a   particular marketplace requires it or because the vendor feels that   it enhances the product while another vendor may omit the same item    An implementation which does not include a particular option MUST be   prepared to interoperate with another implementation which does   include the option  though perhaps with reduced functionality  In the    same vein an implementation which does include a particular option   MUST be prepared to interoperate with another implementation which   does not include the option  except  of course  for the feature the   option provides     In conclusion  the root may be at the certification path delivered by the server in the handshake   A practical use  Think about  not in navigator user terms  but on a transfer tool at a server in a militarized zone with limited internet access  The server  playing the client role at the transfer  receives all the certs path from the server  All the certs in the chain should be checked to be trusted  root included  The only way to check this is the root be included at the certs path in transfer time  being matched against a previously declared as  trusted  local copy of them

User · Answer

When you see  Verify return code  19  self signed certificate in certificate chain    then  either the servers is really trying to use a self-signed certificate  which a client is never going to be able to verify   or OpenSSL hasn t got access to the necessary root but the server is trying to provide it itself  which it shouldn t do because it s pointless - a client can never trust a server to supply the root corresponding to the server s own certificate     Again  adding -showcerts will help you diagnose which

User · Answer

Here is a link to VeriSign s SSL Certificate Installation Checker  https   knowledge verisign com support ssl-certificates-support index page content amp id AR1130  Enter your URL  click  Test this Web Server  and it will tell you if there are issues with your intermediate certificate authority

User · Answer

It sounds like the intermediate certificate is missing   As of April 2006  all SSL certificates issued by VeriSign require the installation of an Intermediate CA Certificate   It could be that you don t have the entire certificate chain loaded on your server   Some businesses do not allow their computers to download additional certificates  causing a failure to complete an SSL handshake      Here is some information on intermediate chains  https   knowledge verisign com support ssl-certificates-support index page content amp id AR657 https   knowledge verisign com support ssl-certificates-support index page content amp id AD146  Intermediate CA Certificates

[ssl] SSL handshake fails with - a verisign chain certificate - that contains two CA signed certificates and one self-signed certificate

Examples related to ssl

Examples related to openssl

Examples related to handshake