Still getting R3 certificates

It might but every CA I know uses intermediate certificates, so there's absolutely no guarantee of the future. Maybe Kestrel is "smart" enough to load and serve the correct intermediate when switching to the other CA (probably because ASP.NET doesn't have an older intermediate cached/stored somewhere), but what if that CA also switches intermediates?

The issue here is ASP.NET for some magical and unknown reason sends the utterly incorrect chain while not instructed to do so (according to the currently viewed code). Why would this be any different with a different CA? ASP.NET would still be a #@*(+&#@ piece of software.


I asked for a "workaround " not a "fix".

It seems ASP.NET brings all the same related Windows cert problems with it.
Perhaps searching the forum for help on Windows and R3 might shed some light.

1 Like

Maybe. But, when I read the Kestrel developer threads about this they knew they only sent a leaf and even developed a fix to send a chain. But, it has not been deployed. It seems different than what IIS does in that regard.

I did not read the Kestrel code - just the dev talk.


Howcome, in this case, the already expired R3-signed-by-DST Root CA X3 is being send? If Kestrel doesn't send intermediates? :thinking:


Ah. My bad. I was thinking an old client was building a faulty chain from the leaf but you made me remember I saw that faulty chain using openssl.

So, agree. Probably is interfering too.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.