SSL Certificate Chain Order Intermediate Certs

lorio

• August 25, 2014 04:13

I found this hint at a SSL CA Website: WHM requires the order of the CA certificates to be in the opposite order (Primary at the top and Secondary at the bottom). By default the Secondary is on the top, to change the order of the CA bundle simply copying the certificate sitting at the top and paste it beneath the remaining CA certificate. Is that still the case with the WHM 11.44? The services and apache ssl parts are meant. Where are the "Certificate Authority Bundle (optional):" parts saved for the WHM services? BTW: Is there any online service which checks SSL certs on other ports and services? Or still openssl on the commandline the only way to go? There are not many tools which check the chain order of certs. One who showed problems in the chain was: [url=http://www.digicert.com/help/]SSL Certificate Checker - Installation Diagnostic Tool | DigiCert.com But no way to check other services and ports. Thanks for reading.

• 

  cPanelMichael

  • August 25, 2014 15:52

  Hello :) You can find SSL data for services in the following directory: /var/cpanel/ssl
  There is a separate field for the certificate authority bundle when installing a SSL certificate. You can choose to paste the same way that your provider issues it. Could you clarify if you are having trouble installing the certificate with it's CABundle? Or, is this just a general question? Thank you.

  0
• 

  lorio

  • August 25, 2014 18:25

  [quote="cPanelMichael, post: 1715772"> There is a separate field for the certificate authority bundle when installing a SSL certificate. You can choose to paste the same way that your provider issues it.
  So the answer to my question would be NO. I asked, if WHM still requires to change the order of CA certificates. If you have more than one intermediate certificate the CA that is important for the chain of trust. RapidSSL is warning customers to change order when using the CA bundle with WHM. Since most the FAQ are old and WHM got an overhaul in the SSL department I wonder if this behaviour was changed to just past the "normal" CA bundle without changing parts.

  0
• 

  cPanelMichael

  • August 25, 2014 19:34

  You should not have to change the order of the CAbundle when pasting it into it's field during the SSL certificate installation. Could you reference a link where RapidSSL advises doing this? Thank you.

  0
• 

  lorio

  • August 25, 2014 21:49

  [quote="cPanelMichael, post: 1716012">Could you reference a link where RapidSSL advises doing this?
  Watch out for Hint after "Step 4. Install the RapidSSL Intermediate CA Bundle" on the following page.

  0
• 

  cPanelMichael

  • August 26, 2014 13:44

  Based on their guide there, the assumption is the SSL installation would fail if you did not use the alternate order. Thus, the fact that it installs correctly would confirm that reversing the order is not required. Thank you.

  0
• 

  lorio

  • August 26, 2014 15:09

  [quote="cPanelMichael, post: 1716601">Based on their guide there, the assumption is the SSL installation would fail if you did not use the alternate order. Thus, the fact that it installs correctly would confirm that reversing the order is not required.
  It won't fail while installing via WHM. You can install the cert without any CA Bundle. You can install the cert with a wrong order. You can install only one part of the bundle. I only investigated the order issue since I had an installation with no CA bundle installed via the WHM SSL form (at least if wasn't displayed in the section). Thunderbird was showing a warning that the identity of the cert couldn't be verified. The wildcard cert was fine. The domain name matched. Turned out that the chain of intermediate certs was in the wrong order for exim/dovecot. Since it depends on what the client CA repository is offering this kind of problems can stay undetected for a long time. Not sure why the chain order was wrong. Could be a mistake made by me when installing the cert in the first place. Or CentOS 6. Some insight about what happens when no CA or a certain order is installed in the optional field would be interesting.

  0
• 

  cPanelMichael

  • August 26, 2014 18:44

  I've not seen any other reports of problems based on the order used when inserting the CAbundle during the SSL certificate installation. Could you open a support ticket so we can attempt to reproduce this issue? You can post the ticket number here so we can update this thread with the outcome. Thank you.

  0
• 

  lorio

  • September 20, 2014 01:06

  [quote="cPanelMichael, post: 1715772">Hello :) You can find SSL data for services in the following directory: /var/cpanel/ssl
  
  I was able reproduce the problem. CentOS 6.5 WHM 11.44.1 (build 18) Tool to check order of chain in trust

  0
• 

  lorio

  • September 20, 2014 01:32

  [quote="cPanelMichael, post: 1716901">Could you open a support ticket so we can attempt to reproduce this issue? You can post the ticket number here so we can update this thread with the outcome.
  The ticket number is 5481971 .

  0
• 

  lorio

  • September 21, 2014 13:19

  Note for search function: Old Android (at least 2.3.5) HTC Mail applications are not able to create an account with wrong order SSL chain. There comes no real error message. It just cannot complete the SSL connection test.

  0
• 

  cPanelMichael

  • September 22, 2014 18:13

  [quote="lorio, post: 1733952">The ticket number is 5481971 .
  Internal case number 87489 is open to address an issue where the order of the CA bundle is not preserved when installing SSL certificates. You will find this case number in our change logs when a resolution has been published: cPanel - Change Logs Thank you.

  0
• 

  eva2000

  • September 23, 2014 08:53

  FYI, to properly check order of chained certificates you can use online tool at

  0

Please sign in to leave a comment.