Jan 23, 2012
tom

Site down after renewing Intermediate SSL Pro Certificate (Verisign)?

Question

I have a site where the intermediate certificate has expired. My IT guy says that he has renewed the intermediate certificate, but now the site is inaccessible with a 404 error page.

To troubleshoot the problem (as he’s away for a week…), I used this link to check on the status of the SSL certificate: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=AR1130

And the error I get is as follows:

Error: The certificate installation checker connected to the Web server, but could not read the Web server’s certificates. Make sure your browser can make an SSL connection with the Web server.

The certificate is from Verisign and is “SSL Pro”. To get some background on what the issue was, we had to refer to this link: https://knowledge.verisign.co.uk/support/ssl-certificates-support/index?page=content&id=SO18873&actp=search&viewlocale=en_US&searchid=1326832230564

Here’s a snippet:

Cause
Secure Site Pro/Managed PKI for SSL Premium SSL Intermediate CA Certificate expired on October 24, 2011
Resolution
If you have a Secure Site Pro or Premium SSL certificate that was issued before October 10th, 2010, then the certificate might be chaining to the following Intermediate CA that expired on October 24, 2011:

Any idea on what might have gone wrong here?

Asked by Ray

Answer

You don’t renew intermediate (chained) certificates, Verisign handles these certificates as they belong to them. It sounds very much like you got a new certificate which was signed by a different intermediate certificate from your previous cert. Your server needs this intermediate certificate to show clients the full chain.

More detail: The clients have a list of certificates which they already trust, the root CAs. Verisign is probably in that list already. Verisign, for various reasons, does not use it’s Root CA Certificate to directly sign your Server Certificates. It uses an Intermediate Certificate. Clients do not know about this Intermediate Certificates. When clients connect to your Server, your server provides both its Server Certificate and the Intermediate Certificate. The client looks this over and see that it trusts Verisign, which trusts the Intermediate, and the Intermediate trusts your Server Cert; so all is good.

Except your server is missing the new Intermediate Certificates. So the client contacts your Server, and only see the Server Certificate. Since the client can not find a chain of trust from the Verisign Root Certificate to ther Server Certificate the connection fails. To resolve this you need to install the Intermediate Certificate on your Server. The process for this is different for the major servers out there:

For Apache 1.x: you need to edit httpd.conf. Find the Directive SSLCertificateChainFile and point it to the Intermediate Certificate provided by Verisign. It’s common for CAs to provide a “Cert Bundle”, “Chain Bundle”, “Chain Certificate”, or “Intermediate Certificate” (they’re all the same thing for your purposes).

Side note: Apache 1.x is really ancient software and should be deprecated…. Apache 2.x is available.

Answered by Chris S

Related posts:

  1. IIS 7 with verisign certificate, invalid certificate returned
  2. SSL certificate thawte, verisign or geotrust
  3. Can I be an intermediate certificate authority?
  4. Proper procedure to replace VeriSign certificates in Tomcat
  5. Can I be my own trusted CA via an signed intermediate certificate?

Leave a comment