Saturday, April 24, 2010

Manual Verification of SSL/TLS Certificate Trust Chains using Openssl (Part 2/2)

Part 1 of this article covered how to manually verify the SSL/TLS certificate trust chain for a given "invalid" certificate using openssl. We used the Internet Storm Center certificate as an example, whose chain has three elements: the ISC ( certificate, an intermediate USERTrust CA, and the Entrust root CA.

A quick look in the Firefox Preferences (Mac OS X) or Options (Windows and Linux), and specifically on the "Advanced - Encryption - View Certificates - Authorities" section, confirms the intermediate CA certificate from USERTrust was the one missing on Firefox 3.6.3 and, therefore, the one invalidating the certificate trust chain. None of the available USERTrust certificates has the right fingerprint, "af:a4:40:af...86:16".

The client browser does not have the intermediate certificate to be able to verify the full certificate trust chain, and generates the error.

The most common method to avoid this type of certificate validation errors at the web server level, thus for all the web server clients, is by delivering the missing intermediate certificate from the web server itself to the client at connection time.

In the Apache web server world, you simply need to get a copy of the intermediate certificate, in this case "USERTrustLegacySecureServerCA.crt" (see Part 1), and enter a reference to it through the "SSLCertificateChainFile" directive in the Apache configuration file, "httpd.conf", and specifically, in the section associated to the virtual host. Example for the ISC web server (not the real config file):

DocumentRoot /var/www/html
SSLEngine on
SSLCertificateFile /path/to/
SSLCertificateKeyFile /path/to/
SSLCertificateChainFile /path/to/USERTrustLegacySecureServerCA.crt

These three mod_ssl directives point to the server certificate, the server private key, and the intermediate CA certificate, respectively.

End-user awareness regarding the acceptance of invalid digital certificates is a must!

No comments:

Post a Comment