In SoftEther, I tried importing a signed certificate (Comodo Positive SSL) using the ServerCertSet command. The cert and private key were imported successfully, however SoftEther's web server seems to cut off the 4th item in the certificate chain. I verified the same .cer file works fine in the Rocket web server and Apache (it does not cut off the 4th item). The Comodo Positive SSL product has 4 certificates in the chain> yourdomain.com>COMODO RSA Domain Validation Secure Server CA>COMODO RSA Certification Authority>AddTrust External CA Root. Some browsers need to be presented with the entire certificate chain to validate it properly (Firefox Android for example), although other browsers do not complain if the root certificate is not presented.
So in my server.crt file I have four certificates concatenated:
-----BEGIN CERTIFICATE-----
<mydomain.com cert>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<COMODO RSA Domain Validation Secure Server CA>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<COMODO RSA Certification Authority>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<AddTrust External CA Root>
-----END CERTIFICATE-----
When you connect to the web server using OpenSSL (openssl s_client -connect mydomain.com:443) you can see that SoftEther's web server does not present the fourth certificate, "AddTrust External CA Root". Instead the fourth one is truncated.
I'm not sure if this is a bug but it would be nice for SoftEther to not truncate the fourth cert so it can present a complete chain to browsers.
SSL Certificate Chain is Truncated
-
dajhorn
- Posts: 137
- Joined: Mon Mar 24, 2014 3:59 am
Re: SSL Certificate Chain is Truncated
Try putting the certificate chain (in PEM file format) into the chain_certs/ directory and reimporting the server certificate by itself.