I just got a new SSL cert a domain which was previously covered by a wildcard SSL cert. Its been over a week since its been installed and about 99% of my users aren't having an issue. There are now just the one or two (that I know about) which get a "Site Not Trusted" warning so I am assuming they are seeing the old certificate when they connect. Is there a way to force all browsers to use the new SSL Certificate when they connect? (its a NGINX on Ubuntu)
Asked
Active
Viewed 3,343 times
0
-
If the new certificate location has replaced the old location in nginx config, then that is the one that nginx will use. – Paul Sep 19 '16 at 14:48
1 Answers
1
I assume that you have an issue with your certificate (e.g. missing intermediate certificate) and the certification chain is broken for some clients/browsers.
Best practice is to use external tools to check your SSL/TLS setup after you've installed a new certificate to a server.
Good tools are Qualys SSL Labs or CryptCheck.
Remember that Nginx does not have an option for intermediate certificates. You have to bundle them into one file and provide this via the ssl_certificate option. Such a certificate file contains your certificate and all required intermediate certificates.
If you like to use OCSP there is an option ssl_trusted_certificate wich is more or less the same file as given above plus the CA's root certificate.
Actually the response of ssllabs.com is pretty helpful. There is a section "Additional Certificates (if supplied)" which shows every certificate of your certificate file (the one, set with option ssl_certificate). Together with the section "Certification Paths" you can see the different certification paths and where which certificate has been used or which certificate is missing. You can even see which one is obsolete if you have provided too many. You can also use the SHA256 fingerprint to google for a missing certificate, download and fix your setup.
Jens Bradler
- 6,133
- 2
- 16
- 13