Dear Syed Hussain,
Actually when I used SSLShopper to verify the chain again now, it's actually not correct.
The first cert in the chain is correct, the server cert, but when you see the Issuer, it says Go Daddy Secure Certificate Authority - G2, however immediately below the server cert is a Root Cert.
Based on the currently installed full-chain cert you have, you have 2 options right now:
1. If the Root Cert is not required, you don't have to include it, as all major browsers nowadays already have included the require Root Certificates. Which means you simply just need the 1st cert, and the last cert in this entire chain. The middle 2 Root Certs can be removed, as this will also improve general latency during the SSL Handshakes.
2. IF the Root Cert is still required for some reason, then you need to set the 3rd cert in the chain below, move it to make it the last cert in the chain, as per my Black Arrows.
Infact, i've helped you set the correct chains, you can take a look at the attached certs attached in this response.
Regards,
Faiz
------------------------------
EVVO SOC
Technical User
EVVO Labs Pte Ltd
------------------------------
Original Message:
Sent: 03-01-2021 02:57
From: Syed Hussain
Subject: Certificate Chain Issue
Dear Galileo,
As suggested, I did the following but did not work.
1) Exported the .pfx to .pem and also exported the private key separately.
2) Decrypted the private key
3) Appended the intermediate certificate to .pem at the end .
4) Uploaded the .pem and decrypted private key to imperva.
Thank You.
Kind Regards,
Syed Ahsan Hussain
image001.png@01D0CA0C.0E0325D0"> | Infrastructure Lead Cisco Certified Specialist- Enterprise Advanced Infrastructure Implementation Cisco Certified Specialist- Enterprise Core Palo Alto Networks Certified Network Security Engineer ITIL Dr. Soliman Fakeeh Hospital Company Palestine Street, Al Hamra District P.O. Box 2537 Jeddah 21461 Tel: +966 12 66 55000 Ext.: 2016 Mobile: +966 593259285 Email: ahsan@fakeeh.care Website: www.fakeeh.care |
Original Message:
Sent: 2/28/2021 8:36:00 AM
From: EVVO SOC
Subject: RE: Certificate Chain Issue
Dear Syed Hussain,
In this case what you want to do is:
1. decrypt the pfx, make sure the decrypted cert is in PEM format. the private key should have been decrypted as well.
2. open the decrypted cert in notepad
3. append the intermediate cert right after the "END CERTIFICATE"
4. save it, and upload it onto Imperva, and upload the private key when prompted for it.
that should help resolve your broken chain error.
Regards,
Faiz
------------------------------
EVVO SOC
Technical User
EVVO Labs Pte Ltd
Original Message:
Sent: 02-28-2021 08:12
From: Syed Hussain
Subject: Certificate Chain Issue
Dear Galileo,
Thanks for sharing your response.
Actually, I have installed server certificate, which is .pfx format.
If I remove imperva and publish the server directly, there is no certificate error. It appears only with Imperva in middle that means somewhere I need to install the intermediate certificate but I am not able to figure it out where in Imperva.
Thank You.
Kind Regards,
Syed Ahsan Hussain
image001.png@01D0CA0C.0E0325D0"> | Infrastructure Lead Cisco Certified Specialist- Enterprise Advanced Infrastructure Implementation Cisco Certified Specialist- Enterprise Core Palo Alto Networks Certified Network Security Engineer ITIL Dr. Soliman Fakeeh Hospital Company Palestine Street, Al Hamra District P.O. Box 2537 Jeddah 21461 Tel: +966 12 66 55000 Ext.: 2016 Mobile: +966 593259285 Email: ahsan@fakeeh.care Website: www.fakeeh.care |
Original Message:
Sent: 2/26/2021 2:56:00 PM
From: Galileo Shell - Operations
Subject: RE: Certificate Chain Issue
Hi Syed Hussain,
Did you only install the server cert only?
Broken chains usually mean either:
1. the Intermediate Cert is missing, or
2. the entire full chain cert could be in the wrong order, i.e server > root > intermediate
Hope this clue helps resolve your broken chain.
Regards,
Faiz
------------------------------
Galileo Shell - Operations
Technical User
Original Message:
Sent: 02-24-2021 01:20
From: Syed Hussain
Subject: Certificate Chain Issue
Hi guys,
I have an issue with certificate chain on all our websites on published via WAF.
The certificate chain is missing . I have uploaded .pfx wildcard certificate on all the websites which is actually installed on the servers as well.
When I test using ssl checker I get certificate chain missing error but when I remove WAF and publish the server directly I dont get any certificate chain errors.
Kindly need your support.
Thanks
#On-PremisesWAF(formerlySecuresphere)
------------------------------
Syed Hussain
Operation
Jeddah
------------------------------