Can SEVPN serve intermediate CA certificates?
Posted: Thu Aug 21, 2014 9:12 pm
Hi,
Thanks for releasing this great product.
I have a RapidSSL wildcard certificate (*.mydomain.com) which I use on my SEVPN servers (running SSTP protocol).
RapidSSL uses two intermediate CA certificates (https://knowledge.rapidssl.com/support/ ... &id=AR1549), so the chain looks like:
Equifax Secure CA
- GeoTrust CA intermediate
- RapidSSL intermediate
- *.mydomain.com certificate
To import my certificate into SEVPN I use a PFX file containing my private key, the GeoTrust intermediate, the RapidSSL intermediate and my wildcard certificate. (I also tried .cer/.key with the same results.)
When I access the SSTP endpoint (port 443) directly with my web browser (Chrome/FF/IE) I get a secured connection (certificates accepted and certification path verified).
If I connect to the SSTP endpoint with the Windows 7 built-in SSTP client I get a secured connection (certificates accepted and certification path verified).
When I connect to the same endpoint with the SEVPN client software I receive a warning: "unable to find the certificate of the certificate authority who issued this certificate on the list of trusted certificates."
When I connect to the SSTP endpoint using
http://www.sslshopper.com/ssl-checker.h ... domain.com
I receive the following message:
"The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GeoTrust's Certificate Installation Instructions for your server platform (use these instructions for RapidSSL). Pay attention to the parts about Intermediate certificates."
It seems that SEVPN is not sending the intermediate certificates to the client, resulting in failure to verify the certification chain.
When I look in the SEVPN configuration file I see a relatively small ServerCert blob. I assume this is because the intermediate certificates are not being imported into the configuration file.
Is there any way in which I can teach SEVPN to serve intermediate certificates to the client so that the chain can be verified without having to manually install intermediate certificates on the client?
Thanks in advance for any insights.
Thanks for releasing this great product.
I have a RapidSSL wildcard certificate (*.mydomain.com) which I use on my SEVPN servers (running SSTP protocol).
RapidSSL uses two intermediate CA certificates (https://knowledge.rapidssl.com/support/ ... &id=AR1549), so the chain looks like:
Equifax Secure CA
- GeoTrust CA intermediate
- RapidSSL intermediate
- *.mydomain.com certificate
To import my certificate into SEVPN I use a PFX file containing my private key, the GeoTrust intermediate, the RapidSSL intermediate and my wildcard certificate. (I also tried .cer/.key with the same results.)
When I access the SSTP endpoint (port 443) directly with my web browser (Chrome/FF/IE) I get a secured connection (certificates accepted and certification path verified).
If I connect to the SSTP endpoint with the Windows 7 built-in SSTP client I get a secured connection (certificates accepted and certification path verified).
When I connect to the same endpoint with the SEVPN client software I receive a warning: "unable to find the certificate of the certificate authority who issued this certificate on the list of trusted certificates."
When I connect to the SSTP endpoint using
http://www.sslshopper.com/ssl-checker.h ... domain.com
I receive the following message:
"The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate. Learn more about this error. You can fix this by following GeoTrust's Certificate Installation Instructions for your server platform (use these instructions for RapidSSL). Pay attention to the parts about Intermediate certificates."
It seems that SEVPN is not sending the intermediate certificates to the client, resulting in failure to verify the certification chain.
When I look in the SEVPN configuration file I see a relatively small ServerCert blob. I assume this is because the intermediate certificates are not being imported into the configuration file.
Is there any way in which I can teach SEVPN to serve intermediate certificates to the client so that the chain can be verified without having to manually install intermediate certificates on the client?
Thanks in advance for any insights.