0

I have installed a certificate issued by Digicert on one of my web server. I then use another server of mine as a client to curl on my new certificate which is validated successfully.

While i was trying to get my self familiar with the whole certification procedures i noticed that the Root CA of my certificate is not installed on the client machine.

This is the openssl test from client to the server with the new cert: 

root@testserver# openssl s_client -showcerts -connect server_ip:443 -servername www.my-site.com
CONNECTED(00000003)
depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2008 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA - G3
verify return:1
depth=1 C = US, O = "thawte, Inc.", OU = Domain Validated SSL, CN = thawte DV SSL SHA256 CA
verify return:1
depth=0 CN = www.my-site.com
verify return:1
---
Certificate chain
 0 s:/CN=www.my-site.com
   i:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL SHA256 CA
-----BEGIN CERTIFICATE-----
MIIGgTCCBWmgAwIBAgIQeAl/4qdt51FNSG+IXqEadzANBgkqhkiG9w0BAQsFADBl
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMdGhhd3RlLCBJbmMuMR0wGwYDVQQLExRE
b21haW4gVmFsaWRhdGVkIFNTTDEgMB4GA1UEAxMXdGhhd3RlIERWIFNTTCBTSEEy
NTYgQ0EwHhcNMTcwODA3MDAwMDAwWhcNMjAwOTA1MjM1OTU5WjAaMRgwFgYDVQQD
DA93d3cudHJpcHN0YS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB
AQCtqpGTNlGyxHGEWBSfMRLIPC1gk3THoSA8VsHQT9022dQhff49m6/dqfyzDJJk
Hg0+bbfJvX+An8n+Qx/tMTjkA3YIvDvbGf3g5k6LezBF2cIWteFOWSDdoWSVyyjy
BWuVE0XRHMNOOrLcDMP7M4ntAgMBAAGjggN2MIIDcjAnBgNVHREEIDAegg93d3cu
dHJpcHN0YS5jb22CC3RyaXBzdGEuY29tMAkGA1UdEwQCMAAwKwYDVR0fBCQwIjAg
oB6gHIYaaHR0cDovL3RtLnN5bWNiLmNvbS90bS5jcmwwbgYDVR0gBGcwZTBjBgZn
gQwBAgEwWTAmBggrBgEFBQcCARYaaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9jcHMw
LwYIKwYBBQUHAgIwIwwhaHR0cHM6Ly93d3cudGhhd3RlLmNvbS9yZXBvc2l0b3J5
MB8GA1UdIwQYMBaAFH0pMS/BHm6uMQVqs+sczandroCaMA4GA1UdDwEB/wQEAwIF
oDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwVwYIKwYBBQUHAQEESzBJ
MB8GCCsGAQUFBzABhhNodHRwOi8vdG0uc3ltY2QuY29tMCYGCCsGAQUFBzAChhpo
dHRwOi8vdG0uc3ltY2IuY29tL3RtLmNydDCCAfQGCisGAQQB1nkCBAIEggHkBIIB
4AHeAHYA3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswAAAFdvIYtzwAA
BAMARzBFAiBYqe54JLCB3qEBT6ltmtOPktEUOe7MvgwH2o6ppZLVRwIhANsunzsJ
TCWpX+cJ1M95IlLbTLBzy2uhvePyctvmvNpOAHYApLkJkLQYWBSHuxOizGdwCjw1
mAT5G9+443fNDsgN3BAAAAFdvIYuDAAABAMARzBFAiAvV8cx7buWHrBw+MaQd0zH
5IHX1nJYmm72uJyQ9d1L5wIhANhj4I/ZsyZVyN9miFO3/M0YBJW3ITvG23hMq0F+
UiDPAHUA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/csAAAFdvIYwEgAA
BAMARjBEAiAeUkR5Ffp2jpZCMdsd0nMwOna7xb+RFg0vkjIePEdmqwIgT4Jh3bNY
VR3J7GYHPjWwtiSM9ttRVVNX8CXCrztWaPsAdQC8eOHfxfY8aEZJM02hD6FfCXlp
IAnAgbTz9pF/Ptm4pQAAAV28hi55AAAEAwBGMEQCIFe5xJ9dTTSl8mYGH8ilcl7h
EN675Wg2ZG8sDGTf9yNMAiBwLrGPviP/SwCSWj4t1UCMILa6WY62F9oANVX0Jezz
+TANBgkqhkiG9w0BAQsFAAOCAQEACp6DCReUspnUbiz09sPsJkTsXvxeh+N+Ihl7
X2qqPxW3enFzcZGyeIfbREuxOMejOXoFn0jMmVRhulyOvkugSYinYj8eWc6OJa/m
a1hfB50A5meDJagYAkjL1hhSZLVnxHJSvfAUTR6UUazaKr8B9ZFt/pl3u1rW7hxQ
+ffuxCAuFZU3F5YIser4D1UzWBeLAqBuD+1sKT12kDBICwPhL5yI2WTwGzAPlbz9
dmU5vCK+YVxMlU4FKEkkzBtzmxovHVnEKf2UVeF2QfjpDsKHwetCxXH0GDAByiuc
JV+Aq4zGZzEikjmF2n+Is2Mjbjvf9gygDGpwg3hOqUMO9MKdyw==
-----END CERTIFICATE-----
 1 s:/C=US/O=thawte, Inc./OU=Domain Validated SSL/CN=thawte DV SSL SHA256 CA
   i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2008 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA - G3
-----BEGIN CERTIFICATE-----
MIIE3DCCA8SgAwIBAgIQPiM0Wu0sClF7Jt7UgB0QqjANBgkqhkiG9w0BAQsFADCB
rjELMAkGA1UEBhMCVVMxFTATBgNVBAoTDHRoYXd0ZSwgSW5jLjEoMCYGA1UECxMf
Q2VydGlmaWNhdGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjE4MDYGA1UECxMvKGMpIDIw
MDggdGhhd3RlLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxJDAiBgNV
BAMTG3RoYXd0ZSBQcmltYXJ5IFJvb3QgQ0EgLSBHMzAeFw0xNDA2MTAwMDAwMDBa
Fw0yNDA2MDkyMzU5NTlaMGUxCzAJBgNVBAYTAlVTMRUwEwYDVQQKEwx0aGF3dGUs
IEluYy4xHTAbBgNVBAsTFERvbWFpbiBWYWxpZGF0ZWQgU1NMMSAwHgYDVQQDExd0
aGF3dGUgRFYgU1NMIFNIQTI1NiBDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBALOsDX+tuxNNlF9nQmrQiXGp7XQEkyTITVah8JGWhNmEas9SIeMasVRM
5saenks4qZZUHfWz7ZIE0G5UkG4v6X2YtIotEqO0Qkcdf19A4fx/kaYB3FWkUHgq
Yz+EfizIKyG2xg5evLix1BuYs8b44ego7TJEG8t/9+SxEevGCLBb7qjC7Eaqjynf
ubekA6A1elg/iylHwdIi+izGx2zN0/dYMpOU0W+pKpwPCiiSqxQKtt/tQHpkB1TO
6nWXMrmWoHXJdzECdK9Ud0+ZooFLeVm4kj/5B+pCdFcuNexVivxhPD5XcZI7q+TB
4RcsZDYAhLV8Gn2wQTN8I/ZOd1oswUsCAwEAAaOCATwwggE4MC4GCCsGAQUFBwEB
BCIwIDAeBggrBgEFBQcwAYYSaHR0cDovL3Quc3ltY2QuY29tMBIGA1UdEwEB/wQI
MAYBAf8CAQAwQQYDVR0gBDowODA2BgpghkgBhvhFAQc2MCgwJgYIKwYBBQUHAgEW
Gmh0dHBzOi8vd3d3LnRoYXd0ZS5jb20vY3BzMDQGA1UdHwQtMCswKaAnoCWGI2h0
dHA6Ly90LnN5bWNiLmNvbS9UaGF3dGVQQ0EtRzMuY3JsMA4GA1UdDwEB/wQEAwIB
BjApBgNVHREEIjAgpB4wHDEaMBgGA1UEAxMRU3ltYW50ZWNQS0ktMS02OTUwHQYD
VR0OBBYEFH0pMS/BHm6uMQVqs+sczandroCaMB8GA1UdIwQYMBaAFK1sqpRgnO3k
//o+CnQrYwP3tlm/MA0GCSqGSIb3DQEBCwUAA4IBAQA2/6LxHH65UXuU01p7SCXT
N6KCKi1fOB6HZ+zJMavXkjO4vTXKsYBwBIJ8iMw3LhZ0bpNAY8qNe/8HKOb5M6vw
YY09yoPFUNi9aTkfrry37hXFjQQGIDMoBJnFnBH1AQ9HXtiJmaXOwoD+Rvrvthuo
kbKDs+JXDRrkltW8971tA/hifuv4Qgn+CWSkyVy40jkLeQKeFTkdwNnNHF9odo3z
Hi36v6dJog2X9ZbC6WzUzUcLi4oBi9v6z5J1Lt4+p3O1/gNRp0LDx0JrqW++9iDh
jr+fCY7lCOiSk3c+SUScf+l5nf9Lr+A4VzQNXxEyEpKpYYiBpR74oPBFWoZxIIWF
-----END CERTIFICATE-----
 2 s:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
   i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root G2
-----BEGIN CERTIFICATE-----
MIIDjjCCAnagAwIBAgIQAzrx5qcRqaC7KGSxHQn65TANBgkqhkiG9w0BAQsFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBH
MjAeFw0xMzA4MDExMjAwMDBaFw0zODAxMTUxMjAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IEcyMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuzfNNNx7a8myaJCtSnX/RrohCgiN9RlUyfuI
2/Ou8jqJkTx65qsGGmvPrC3oXgkkRLpimn7Wo6h+4FR1IAWsULecYxpsMNzaHxmx
1x7e/dfgy5SDN67sH0NO3Xss0r0upS/kqbitOtSZpLYl6ZtrAGCSYP9PIUkY92eQ
q2EGnI/yuum06ZIya7XzV+hdG82MHauVBJVJ8zUtluNJbd134/tJS7SsVQepj5Wz
tCO7TG1F8PapspUwtP1MVYwnSlcUfIKdzXOS0xZKBgyMUNGPHgm+F6HmIcr9g+UQ
vIOlCsRnKPZzFBQ9RnbDhxSJITRNrw9FDKZJobq7nMWxM4MphQIDAQABo0IwQDAP
BgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBhjAdBgNVHQ4EFgQUTiJUIBiV
5uNu5g/6+rkS7QYXjzkwDQYJKoZIhvcNAQELBQADggEBAGBnKJRvDkhj6zHd6mcY
1Yl9PMWLSn/pvtsrF9+wX3N3KjITOYFnQoQj8kVnNeyIv/iPsGEMNKSuIEyExtv4
NeF22d+mQrvHRAiGfzZ0JFrabA0UWTW98kndth/Jsw1HKj2ZL7tcu7XUIOGZX1NG
Fdtom/DzMNU+MeKNhJ7jitralj41E6Vf8PlwUHBHQRFXGU7Aj64GxJUTFy8bJZ91
8rGOmaFvE7FBcf6IKshPECBV1/MUReXgRPTqh5Uykw7+U0b6LJ3/iyK5S9kJRaTe
pLiaWN0bfVKfjllDiIGknibVb63dDcY3fe0Dkhvld1927jyNxF1WW6LZZm6zNTfl
MrY=
-----END CERTIFICATE-----

As far as i am aware, in order for the certificate to be verified the ROOT CA must be installed on the client system (my testserver). Therefore, since this certificate is indeed verified, that means that the Root CA from the above chain, that is, DigiCert Global Root G2, must be present on my machine.

Thing is i cannot find the specific root ca in my system. When i search for the installed Root CA on my system i only see three certificates: 

root@testserver:~# ls -l /usr/share/ca-certificates/mozilla/DigiCert_*
-rw-r--r-- 1 root root 1350 Sep 24  2014 /usr/share/ca-certificates/mozilla/DigiCert_Assured_ID_Root_CA.crt
-rw-r--r-- 1 root root 1338 Sep 24  2014 /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt
-rw-r--r-- 1 root root 1367 Sep 24  2014 /usr/share/ca-certificates/mozilla/DigiCert_High_Assurance_EV_Root_CA.crt

There is only one DigiCert Root CA (not G2) and the certificate does not match with the one in the chain. 

root@testserver:~# cat /usr/share/ca-certificates/mozilla/DigiCert_Global_Root_CA.crt 
-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSAwHgYDVQQDExdEaWdpQ2VydCBHbG9iYWwgUm9vdCBD
QTAeFw0wNjExMTAwMDAwMDBaFw0zMTExMTAwMDAwMDBaMGExCzAJBgNVBAYTAlVT
MRUwEwYDVQQKEwxEaWdpQ2VydCBJbmMxGTAXBgNVBAsTEHd3dy5kaWdpY2VydC5j
b20xIDAeBgNVBAMTF0RpZ2lDZXJ0IEdsb2JhbCBSb290IENBMIIBIjANBgkqhkiG
9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4jvhEXLeqKTTo1eqUKKPC3eQyaKl7hLOllsB
CSDMAZOnTjC3U/dDxGkAV53ijSLdhwZAAIEJzs4bg7/fzTtxRuLWZscFs3YnFo97
nh6Vfe63SKMI2tavegw5BmV/Sl0fvBf4q77uKNd0f3p4mVmFaG5cIzJLv07A6Fpt
43C/dxC//AH2hdmoRBBYMql1GNXRor5H4idq9Joz+EkIYIvUX7Q6hL+hqkpMfT7P
T19sdl6gSzeRntwi5m3OFBqOasv+zbMUZBfHWymeMr/y7vrTC0LUq7dBMtoM1O/4
gdW7jVg/tRvoSSiicNoxBN33shbyTApOB6jtSj1etX+jkMOvJwIDAQABo2MwYTAO
BgNVHQ8BAf8EBAMCAYYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUA95QNVbR
TLtm8KPiGxvDl7I90VUwHwYDVR0jBBgwFoAUA95QNVbRTLtm8KPiGxvDl7I90VUw
DQYJKoZIhvcNAQEFBQADggEBAMucN6pIExIK+t1EnE9SsPTfrgT1eXkIoyQY/Esr
hMAtudXH/vTBH1jLuG2cenTnmCmrEbXjcKChzUyImZOMkXDiqw8cvpOp/2PV5Adg
06O/nVsJ8dWO41P0jmP6P6fbtGbfYmbW0W5BjfIttep3Sp+dWOIrWcBAI+0tKIJF
PnlUkiaY4IBIqDfv8NZ5YBberOgOzW6sRBc4L0na4UU+Krk2U886UAb3LujEV0ls
YSEY1QSteDwsOoBrp+uvFRTp2InBuThs4pFsiv9kuXclVzDAGySj4dzp30d8tbQk
CAUw7C29C79Fv1C5qfPrmAESrciIxpg0X40KPMbp1ZWVbd4=
-----END CERTIFICATE-----

How does the certificate gets verified since the Root CA is not installed on my system?

giomanda
  • 1,644
  • 4
  • 20
  • 30
  • Is it possible the server is sending the full chain with the root and curl is dumb enough to verify it with the root that was sent instead of finding one locally? – virullius Dec 14 '17 at 19:29
  • 1
    I'm confused about the chain. Cert #1 claims to be Issued by "thawte Primary Root CA - G3", but then Cert #2 is "DigiCert Global Root G2". Either this is broken or I don't understand how to read this output. – virullius Dec 14 '17 at 19:33
  • @mjb2kmn That's exactly where i also get confused. Strange thing is that it appears to be validated without issues. Also sslshopper indicates that the cert chains to be ok. – giomanda Dec 14 '17 at 20:12

0 Answers0