0

I'm running a private CA for testing purposes. I have my root CA cert, an intermediate CA cert, and some server certificates. Clients have the root CA cert installed as trusted.

It's not clear to me if the server, let's say nginx but not necessarily, should return the complete certificate chain (server+intermediate+ca) or the certificate chain truncated to the certificate the client is supposed to already have (server+intermediate).

I ask because I see some clients trusting my server certificate (the truncated chain) and some no. Chromium-based browsers and Firefox accept it but more exotic clients like the VMware Remote Console complain with "incomplete chain" when the same truncated certificate chain is installed in VMware ESXi.

How is the certificate chain supposed to look like?

ragazzojp
  • 101
  • 1
  • The last certificate in the chain (the self-signed certificate) is the trust anchor. For maximum security the client should be trusting the full chain all the way to the anchor. https://en.wikipedia.org/wiki/X.509 explains it well and provides references. – postoronnim May 03 '21 at 18:24
  • 1
    The trust anchor (root CA) need to be already trusted by the client. It should never be retrieved from what the server sends, since otherwise man in the middle attacks would be easy. If some client complain than they don't have the necessary trust anchor installed. Note that there is typically no central trust store which is used by every client, i.e. different client might have different trust stores. – Steffen Ullrich May 03 '21 at 18:40
  • Although there is no security benefit to be gained from the server including the root certificate with the rest of the certificates in the certificate chain, it is not uncommon for the server to include the root cert in the chain. See https://security.stackexchange.com/questions/65332/ssl-root-certificate-optional/248984#248984 for more info. – mti2935 May 04 '21 at 00:28

0 Answers0