-1

The SSL certificate for one of our sites expired and I've been given the task of renewing it despite not being a server admin of any sort. I've completed the certificate request and added it to the server certificates. Then, I assigned this new certificate to the https bindings for the site in question.

When I view the certificate, it shows an expiration of 2020 from Entrust provider with sha256 hash and sha1 thumbprint.

If I am on our company's network and visit the site, I can see the new certificate being served correctly. However, any user outside of this network, including if I disconnect, will get a "Certificate not trusted" error. Upon inspection of the certificate now being served, it shows the old SHA1 hash expired certificate.

I've checked the certlog using DigiCertUtil and verified there are no SSL hashes that correspond to existing, valid certificates. There are also no other HTTPS bindings associated with this site. What am I missing here?

JWiley
  • 99
  • 2

2 Answers2

1

If I am on our company's network and visit the site, I can see the new certificate being served correctly. However, any user outside of this network,

If you see a valid cert when connecting directly, but can't when connecting externally, this probably means there is a proxy of some sort between you and the server. Perhaps a load balancer, or some kind of security appliance. When you connect from the outside look closely at the destination address your site name resolves to. Find the system with that address and fix it. Or find the person responsible for that system.

Zoredache
  • 128,755
  • 40
  • 271
  • 413
0

Basically you shouldn't have enabled the old sha1 thumbprint anymore. Modern browsers don't use that encryption method anymore since that's insecure. You should test it on different browsers and systems in your company.

Secondly, some CA providers may be forbidden due to their assumed MITM (Man In The Middle attack ) attempts. As far as I know, StartSSL.com has already been banned by Mozilla Foundation, and all latest Mozilla Firefox browsers won't trust its CA anymore but StartSSL is still providing CA.

Thirdly, check your CA chain. The CA chain usually have 3 layers more or less. If one of the chain is not from trusted providers, the CA won't be trusted by the client.

dotslash
  • 219
  • 3
  • 15
  • I've read elsewhere including this site that the thumbprint isn't relevant, and that the browser only checks the hash algorithm. Not sure why StartSSL is mentioned since I'm using Entrust. Could you explain more on your last point with the CA chain? – JWiley Mar 16 '17 at 15:40
  • This [wiki](https://en.wikipedia.org/wiki/Chain_of_trust) is helpful I think. Normally the CA provider would give your several CA files ( by each layer ). Some providers provide CA chains by 2 or 3 files. You can combine them together by writing a new file including all the content of them. Usually you need the fullchain CA, which includes all of the CA just as the wiki says. – dotslash Mar 16 '17 at 15:53
  • Thanks. I've verified that the chain is correct and a trusted provider, but that doesn't explain the discrepancy between old/new certificates being served depending on where you are accessing them from. – JWiley Mar 16 '17 at 16:07
  • Did you try this on different browsers on different OS? – dotslash Mar 16 '17 at 16:09
  • Yes- not OS dependent and is a problem on firefox and chrome, as they recently deprecated sha1. – JWiley Mar 16 '17 at 16:16
  • You have to drop sha1sum (re-sign CA using strong encryption). FF and Chrome had abandoned that for long. – dotslash Mar 16 '17 at 16:24