Is there any threat to put root CA in intermediate certificate?


#1

Hi,

I installed certificate on my server. But i got untrust when i browsed it by Firefox.
So i add root CA into intermediate certificate. Then it works fine.

I didn’t see others to do like this.
So i want to know any threat to do it? Or what is the right way?
Thanks.

ps.
My intermediate certificate is Let’s Encrypt Authority X3.
Root CA is DST Root CA X3.
And my server does not contain DST Root CA X3 or any other root CA.


#2

The certificates are public documents, so sending more of them doesn’t change the security situation, but it does waste a few hundred bytes each time sending the unneeded data if your server sends out ones nobody needs to verify it.

Since you didn’t give very much detail of what you did, it’s hard to help, you definitely should not need to put a root CA certificate into the intermediates sent by your server, but I can’t say why it seems to “work fine” now except that probably you’ve omitted some relevant detail.

A test like this one: https://whatsmychaincert.com/ can tell you whether the chain you’re sending now is in fact correct, or if you don’t mind you could just say here what the site is you’ve configured.


#3

Thanks for your help! I got it.

I need to do

openssl verify -CAfile chain.pem cert.pem

But i got “unable to get issuer certificate” error.
So i append root CA to chain.pem for verify.


#4

While there is no harm to doing this, it should not be necessary, so we can discuss and investigate further if you’re interested in figuring out why it appears to be necessary in your situation.


#5

As Tialaramex said, you really didn’t provide much context or information regarding your setup. But I have an idea what might help.

Are you running a recent version of Apache 2.4? I was getting similar errors in Pale Moon because I’d mis-configured Apache. You should point the sslcert directive to “fullchain.pem”, not “cert.pem” to avoid errors.

Originally I’d set the sslcert directive to “cert.pem”, sslchain to “fullchain.pem”, and sslkey to “key.pem”, but that became depreciated with Apache 2.4.7 (I think), and now you shouldn’t use sslchain at all, and sssl cert should be pointed to “fullchain.pem”.

It’s counter-intuitive, I know, but that’s what the documentation now says. And it fixed my SSL problems!


#6

OK, I found the problem.
I have a NAS. And i upload ssl certificate by NAS system control panel.
There are three parts including Domain certificate, Private key, and Intermediate certificate.
Now i know NAS will verify certificate after i uploaded them.

openssl verify -CAfile chain.pem cert.pem

If it verify failed, it won’t configure Intermediate certificate in apache.
Like this

SSLCertificateFile “/etc/stunnel/stunnel.pem”
#SSLCertificateChainFile “/etc/stunnel/uca.pem”

So i got untrust in Firefox. After i set the Let’s Encrypt Authority X3 to SSLCertificateChainFile and restart the apache.
Then it works!
Thanks to all~

ps. apache version is 2.2.31


#7

I’m very glad you solved the problem :smile:


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.