Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

  1. Kemp Support
  2. Knowledge Base
  3. Security

SSL scan to show certificate chain length

Updated

 

Information

 

Summary:

Wanted to know why the ssl scan to site through the virtual service had a shorter cert chain compared to the scan direct to the server.
Environment:

Product: LoadMaster

Version: Any

Platform: Any

Application: Any
Question/Problem Description:

Running a scan to both hosts (one direct to server and the other to their virtual service) shows a different in certificate chains.

There is already an intermediate certificate installed on the loadmaster to cover any possible incomplete certificate chain issues
Steps to Reproduce: Run a scan to the site hostname using an ssl scanner such as ssllabs or sslshopper
Error Message:  
Defect Number:  
Enhancement Number:  
Cause: Server just happens to use different intermediate certificates for the chain of trust, but this is not inherently an issue as long as the scan to the VIP shows a valid, and complete chain of trust.
Resolution:
  • Judging by the scan that was done via ssllabs, it does not appear any intermediate/root certs need to be currently added.
  • Ran a scan to the site using Qualys SSL Labs scan, and that returned an "A+" rating, with no apparent SSL cert chain.
  • The intermediate certificate currently installed looks to be sufficient enough already.
Workaround:  
Notes:

https://www.ssllabs.com/ssltest/ 

https://www.sslshopper.com/ssl-checker.html

Comments

In this document