Certificate chain issues are extremely widespread and more common than you think. You start to see how many websites have broken certificate chains when you start performing SSL inspection on a network.
If you want to read more about certificate chains, my post Certificate Chain goes into more detail.
My website, thedxt.ca, has a server certificate for thedxt.ca, issued by the intermediate CA GTS CA 1P5. The intermediate CA GTS CA 1P5 certificate is issued by the public root CA GTS Root R1.
The image above is an example of a correctly formed certificate chain. Each item is issued by the previous one, and because the root CA is trusted, the entire chain is trusted.
In this post, I will go over what can cause a broken certificate chain and how to verify your certificate chain properly.
There are two main types of broken certificate chains. First is the malformed certificate chain or the out of order certificate chain. The second is an incomplete certificate chain.
Malformed Certificate Chain
If my certificate chain for my website, thedxt.ca, was configured in the following order:
- A server certificate for thedxt.ca.
- The public root CA GTS Root R1 certificate.
- The intermediate CA GTS CA 1P5 certificate.
This order would cause a broken certificate chain as the certificate chain would be out of order and considered malformed, which can cause issues.
The image above is an example of a malformed certificate chain, as each item is not issued by the previous one.
Incomplete Certificate Chain
Another common issue that causes broken certificate chains is an incomplete certificate chain. An incomplete certificate chain means a certificate is missing in the certificate chain. Usually, this is when one or more intermediate CA certificates are missing. It’s an issue because the path to the root CA can’t be completed.
The image above is an example of an incomplete certificate chain, as there are no links to follow for the path to the root CA.
The Why
Many people don’t realize they have a broken certificate chain, as most things will just work even when the certificate chain is broken. Web browsers try to fix broken certificate chains for websites so users don’t run into issues.
A very common practice for checking if your SSL/TLS certificate is working on a public-facing item is to use a web browser to browse to the item and see if you get any certificate issues. Because web browsers auto-fix broken certificate chains, you end up with a false sense that everything is working correctly.
If you can’t trust a web browser to check if your certificate chain is correct, how do you check it?
…