1
I'm connecting to an specific web server via firewall but when I do that the firewall alerts that the root certificate is expired, when I bypass the firewall all browser see no problem with the certificates and when I check the chain all certificates are ok.
I took a deeper look at it and found out that the browser is actually replacing the expired certificate sent by the server with one not expired from the windows certificate store. (The server sends a chain of four certificates: root, intermediate 1, intermediate 2 and server certificate. The Intermediate 1 is expired. It's replaced by the browser/OS and becomes the root certificate for the browser. It's a GlobalSign chain of certificates.)
Apparently they have the same friendly name and possibly other similar properties (of course the public key is the same). Since IE/Chrome are doing the same it looks like pretty much like some windows feature used by browsers.
Why does that happen? How can the certificate be replaced and is there any potential danger I'm not aware?
Here's an image capture comparing the browsers viewer and the packet capture
Why does your PC's certificate store have the webserver's cert installed in the first place? Is it a self-signed certificate that you've installed as a "trusted root"? – user1686 – 2019-03-22T11:39:04.417
It's actually the root certificate that is expired. The server sends a chain of four certificates: root, intermediate 1, intermediate 2 and server certificate. The Intermediate 1 is expired. It's replaced by the browser/OS and becomes the root certificate for the browser. It's a GlobalSign chain of certificates. – HSC – 2019-03-22T11:45:14.020
Maybe related to https://superuser.com/questions/1015424/could-merely-visiting-a-web-site-push-a-root-ca-as-trusted-onto-my-pc
– Arjan – 2019-03-22T11:48:25.527Thanks. So it's possibly not replacing but only ignoring the ones sent by the webserver and downloading a valid certificate from somewhere else. – HSC – 2019-03-22T11:54:26.590
For a root certificate it makes sense – ordinarily those aren't sent by the server at all, and only retrieved from the root certificate store (because why would a client trust them if they're not in the root cert store yet?) – user1686 – 2019-03-22T11:58:59.607
I agree with you on that point. I'm a bit surprised that there are more than one root certificate with the same public key though. – HSC – 2019-03-22T12:06:55.010
I've merged your comment into the question and its title. But: your comment also says "It's actually the root certificate that is expired", so I'm not 100% sure the edit is 100% accurate? – Arjan – 2019-03-22T12:14:14.987
That's right, the actual root (sent by the webserver) is ignored and the intermediate becomes the root. As gravity noted it makes sense to ignore the intermediates and root from the server. Thanks for the edit. – HSC – 2019-03-22T12:21:40.740
I've attached and image that might make things clearer. – HSC – 2019-03-22T12:27:07.607
Well, renewing a cert (especially a CA) with same keypair is not uncommon. – user1686 – 2019-03-22T12:46:12.703