Correct order from combine certificates

empereira · January 26, 2021, 5:12pm

Hello,

We use an ICPEDU institutional certificate that is part of GlobalSIgn.

In traefik we are using only the *.company.org certificate and the key. Doing tests on sslabs, informs that the chain of certificates is incomplete.

In apache we use a bundle that contains the ICPEDU Intermediary + GlobalSIgn Intermediary + GlobalSign Root and works like a charm.

In the traefik I made the concatenation including our certificate *.company.org, staying like this:

*.company.org + ICPEDU intermediary + GlobalSIgn Intermediario + GlobalSign Root

This way it did not work and there is always an error informing that no certificate was found.

What is the correct order?

cakiwi · January 26, 2021, 7:36pm

It should be:

Leaf certificate + Intermediates....

The root CA should no be present.

empereira · January 26, 2021, 7:06pm

Should *.company.org be at the beginning of the file?

cakiwi · January 26, 2021, 7:14pm

Yes. That would be considered the leaf.

empereira · January 26, 2021, 7:36pm

Thanks for the help @cakiwi!!!

After some tests, I believe that the correct order of the certificates was as follows:

-----BEGIN CERTIFICATE-----
*.company.org
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
GlobalSign RSA OV SSL CA 2018
-----END CERTIFICATE-----

cakiwi · January 26, 2021, 7:39pm

Yes, of course!

That matches the output from ssllabs.

system · January 29, 2021, 7:39pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.