Browser replacing expired intermediate certificate with new root certificate

1

I'm connecting to an specific web server via firewall but when I do that the firewall alerts that the root certificate is expired, when I bypass the firewall all browser see no problem with the certificates and when I check the chain all certificates are ok.

I took a deeper look at it and found out that the browser is actually replacing the expired certificate sent by the server with one not expired from the windows certificate store. (The server sends a chain of four certificates: root, intermediate 1, intermediate 2 and server certificate. The Intermediate 1 is expired. It's replaced by the browser/OS and becomes the root certificate for the browser. It's a GlobalSign chain of certificates.)

Apparently they have the same friendly name and possibly other similar properties (of course the public key is the same). Since IE/Chrome are doing the same it looks like pretty much like some windows feature used by browsers.

Why does that happen? How can the certificate be replaced and is there any potential danger I'm not aware?

Here's an image capture comparing the browsers viewer and the packet capture

HSC

Posted 2019-03-22T11:16:24.460

Reputation: 21

Why does your PC's certificate store have the webserver's cert installed in the first place? Is it a self-signed certificate that you've installed as a "trusted root"? – user1686 – 2019-03-22T11:39:04.417

It's actually the root certificate that is expired. The server sends a chain of four certificates: root, intermediate 1, intermediate 2 and server certificate. The Intermediate 1 is expired. It's replaced by the browser/OS and becomes the root certificate for the browser. It's a GlobalSign chain of certificates. – HSC – 2019-03-22T11:45:14.020

Maybe related to https://superuser.com/questions/1015424/could-merely-visiting-a-web-site-push-a-root-ca-as-trusted-onto-my-pc

– Arjan – 2019-03-22T11:48:25.527

Thanks. So it's possibly not replacing but only ignoring the ones sent by the webserver and downloading a valid certificate from somewhere else. – HSC – 2019-03-22T11:54:26.590

For a root certificate it makes sense – ordinarily those aren't sent by the server at all, and only retrieved from the root certificate store (because why would a client trust them if they're not in the root cert store yet?) – user1686 – 2019-03-22T11:58:59.607

I agree with you on that point. I'm a bit surprised that there are more than one root certificate with the same public key though. – HSC – 2019-03-22T12:06:55.010

I've merged your comment into the question and its title. But: your comment also says "It's actually the root certificate that is expired", so I'm not 100% sure the edit is 100% accurate? – Arjan – 2019-03-22T12:14:14.987

That's right, the actual root (sent by the webserver) is ignored and the intermediate becomes the root. As gravity noted it makes sense to ignore the intermediates and root from the server. Thanks for the edit. – HSC – 2019-03-22T12:21:40.740

I've attached and image that might make things clearer. – HSC – 2019-03-22T12:27:07.607

Well, renewing a cert (especially a CA) with same keypair is not uncommon. – user1686 – 2019-03-22T12:46:12.703

Answers

1

ANSWER: Windows ignores CA certificates provided by the webserver. It'll check only the webserver's certificate against the appropriate CA certificate that is stored in the operating system's CA certificate store, those ones are trusted by the operating system. Windows also has its ways to retrieve the CA certificate chain that issued the webserver's certificate if the chain is not already stored in the CA certificate Store of the operating system. Some more details about this can be found here:

Could merely visiting a web site push a root CA as trusted onto my PC?

Some firewalls will check CA certificates sent by the webserver and block the access if one of the certificates is expired. Firewalls in general have a diferent behaviour regarding certificates compared to regular operating systems such as Windows.

We also learned that CA certificates can be reissued with different serial numbers and validity dates. The certificate will have the same "Friendly Name" and key pairs.

In this specific case the webserver is sending an old version of one CA Certificate belonging to the chain, the firewall is detecting that the certificate is expired and blocking the access to the website. When firewall is bypassed the site can be accessed, that happens because windows have the new version of the CA certificate and check the webserver's certificate against it.

HSC

Posted 2019-03-22T11:16:24.460

Reputation: 21

Asked: 2019-03-22T11:16:24.460

Viewed: 154 times

Active: 2019-03-22T19:04:51.880