In SSL/TLS, what are the steps to fix 'chain issues : contains anchor'?

383    Asked by AditiIshii in SQL Server , Asked on Dec 22, 2021

 How can I fix the chain issues that contain anchors?  I was looking for information regarding this and found the following chain issues -  Missing intermediate certificates; When a site does not provide the necessary intermediate certificates, a trust path cannot be established. Generally speaking, we cannot distinguish that case from a certificate signed by a custom CA. However, some server certificates include the information on which intermediate certificates are required, and also where to obtain them. SSL Labs will attempt to fetch missing certificates. If the intermediate certificates are found, then it's very likely that a trust path will be established. In such cases, the test will issue a warning. If your site receives the warning you should reconfigure the server to add the missing certificates.

  • Certificate chains that are too long; Sites often include more certificates in the handshake than necessary. Of those, most include one extra certificate, and that is the actual trusted root certificate (which browsers already have in their storage). This last certificate is not needed for the validation process. Having an additional certificate in the chain wastes bandwidth and decreases overall performance slightly. A small number of sites will include a very large number of certificates as a result of misconfiguration. Such sites will typically suffer significant performance issues and need to be reconfigured. 

    Certificates given in incorrect order; According to the standard, certificates must be presented in the order in which they are needed. The main, server, certificate must come first, followed by the certificate that signed it, followed by the next certificate in the chain, and so on. A small number of sites do not get this order right. Most SSL clients will deal with this problem silently, but there is a small number of platforms that will give up.

Answered by Anisha Dalal

For fixing the chain issues : contains anchor, you can check the nginx documentation that says that the ssl_trusted_certificate parameter contains trusted CA certificates used to verify client certificates and OCSP responses if ssl_stapling is enabled and the list of these certificates will not be sent to clients.Therefore I think that what ssllabs calls "Additional Certificates (if supplied)" are the certificates in the ssl_certificate file which are not the server certificate.

For me:

public.crt should contain these 2 certificates:

  • 1) your server certificate
  • 2) StartCom Class 1 Primary Intermediate Server CA
  • my-chain.pem should contain these 2 certificates:
  • 1) StartCom Class 1 Primary Intermediate Server CA // required to validate the server certificate OCSP response
  • 2) StartCom Certification Authority //



Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com