Still getting R3 certificates

Osiris · December 30, 2021, 9:24am

It might but every CA I know uses intermediate certificates, so there's absolutely no guarantee of the future. Maybe Kestrel is "smart" enough to load and serve the correct intermediate when switching to the other CA (probably because ASP.NET doesn't have an older intermediate cached/stored somewhere), but what if that CA also switches intermediates?

The issue here is ASP.NET for some magical and unknown reason sends the utterly incorrect chain while not instructed to do so (according to the currently viewed code). Why would this be any different with a different CA? ASP.NET would still be a #@*(+&#@ piece of software.

rg305 · December 30, 2021, 1:22pm

I asked for a "workaround " not a "fix".

It seems ASP.NET brings all the same related Windows cert problems with it.
Perhaps searching the forum for help on Windows and R3 might shed some light.

MikeMcQ · December 30, 2021, 3:06pm

Maybe. But, when I read the Kestrel developer threads about this they knew they only sent a leaf and even developed a fix to send a chain. But, it has not been deployed. It seems different than what IIS does in that regard.

I did not read the Kestrel code - just the dev talk.

Osiris · December 30, 2021, 3:25pm

Howcome, in this case, the already expired R3-signed-by-DST Root CA X3 is being send? If Kestrel doesn't send intermediates?

MikeMcQ · December 30, 2021, 3:30pm

Ah. My bad. I was thinking an old client was building a faulty chain from the leaf but you made me remember I saw that faulty chain using openssl.

So, agree. Probably asp.net is interfering too.

system · January 29, 2022, 3:31pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.