Imperva Cyber Community

Expand all | Collapse all

Certificate Chain Issue

  • 1.  Certificate Chain Issue

    Posted 02-25-2021 10:53
    Hi guys,

    I have an issue with certificate chain on all our websites on published via WAF.
    The certificate chain is missing . I have uploaded .pfx wildcard certificate on all the websites which is actually installed on the servers as well.
    When I test using ssl checker I get certificate chain missing error but when I remove WAF and publish the server directly I dont get any certificate chain errors.


    Kindly need your support.

    Thanks
    Certificate chain missing

    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Syed Hussain
    Operation
    Jeddah
    ------------------------------


  • 2.  RE: Certificate Chain Issue

    Posted 02-28-2021 05:21
    Hi Syed Hussain,

    Did you only install the server cert only?
    Broken chains usually mean either:
    1. the Intermediate Cert is missing, or
    2. the entire full chain cert could be in the wrong order, i.e server > root > intermediate

    Hope this clue helps resolve your broken chain.

    Regards,
    Faiz

    ------------------------------
    Galileo Shell - Operations
    Technical User
    ------------------------------



  • 3.  RE: Certificate Chain Issue

    Posted 02-28-2021 08:14

    Dear Galileo,

     

    Thanks for sharing your response.

    Actually, I have installed server certificate, which is .pfx format.

    If I remove imperva and publish the server directly, there is no certificate error. It appears only with Imperva in middle that means somewhere I need to install the intermediate certificate but I am not able to figure it out where in Imperva.

     

    Thank You.

     

    Kind Regards,

    Syed Ahsan Hussain

     

    Description: <a href=image001.png@01D0CA0C.0E0325D0">

    Infrastructure Lead

    Cisco Certified Specialist- Enterprise Advanced Infrastructure Implementation

    Cisco Certified Specialist- Enterprise Core

    Palo Alto Networks Certified Network Security Engineer

    ITIL

     

    Dr. Soliman Fakeeh Hospital Company

    Palestine Street, Al Hamra District

    P.O. Box 2537 Jeddah 21461

    Tel: +966 12 66 55000 Ext.: 2016

    Mobile: +966 593259285

    Email:  ahsan@fakeeh.care

    Website:  www.fakeeh.care

     

     






  • 4.  RE: Certificate Chain Issue

    Posted 02-28-2021 08:36
    Dear Syed Hussain,

    In this case what you want to do is:
    1. decrypt the pfx, make sure the decrypted cert is in PEM format. the private key should have been decrypted as well.
    2. open the decrypted cert in notepad
    3. append the intermediate cert right after the "END CERTIFICATE"
    4. save it, and upload it onto Imperva, and upload the private key when prompted for it.

    that should help resolve your broken chain error.

    Regards,
    Faiz

    ------------------------------
    EVVO SOC
    Technical User
    EVVO Labs Pte Ltd
    ------------------------------



  • 5.  RE: Certificate Chain Issue

    Posted 03-01-2021 02:58

    Dear Galileo,

     

    As suggested, I did the following but did not work.

     

    1)      Exported the .pfx to .pem and also exported the private key separately.

    2)      Decrypted the private key

    3)      Appended the intermediate certificate to .pem at the end .

    4)      Uploaded the .pem and decrypted private key to imperva.

     

    Thank You.

     

    Kind Regards,

    Syed Ahsan Hussain

     

    Description: <a href=image001.png@01D0CA0C.0E0325D0">

    Infrastructure Lead

    Cisco Certified Specialist- Enterprise Advanced Infrastructure Implementation

    Cisco Certified Specialist- Enterprise Core

    Palo Alto Networks Certified Network Security Engineer

    ITIL

     

    Dr. Soliman Fakeeh Hospital Company

    Palestine Street, Al Hamra District

    P.O. Box 2537 Jeddah 21461

    Tel: +966 12 66 55000 Ext.: 2016

    Mobile: +966 593259285

    Email:  ahsan@fakeeh.care

    Website:  www.fakeeh.care

     

     






  • 6.  RE: Certificate Chain Issue

    Posted 03-01-2021 09:07

    Dear Syed Hussain,

    Actually when I used SSLShopper to verify the chain again now, it's actually not correct.
    The first cert in the chain is correct, the server cert, but when you see the Issuer, it says Go Daddy Secure Certificate Authority - G2, however immediately below the server cert is a Root Cert.

    Based on the currently installed full-chain cert you have, you have 2 options right now:
    1. If the Root Cert is not required, you don't have to include it, as all major browsers nowadays already have included the require Root Certificates. Which means you simply just need the 1st cert, and the last cert in this entire chain. The middle 2 Root Certs can be removed, as this will also improve general latency during the SSL Handshakes.
    2. IF the Root Cert is still required for some reason, then you need to set the 3rd cert in the chain below, move it to make it the last cert in the chain, as per my Black Arrows.

    Infact, i've helped you set the correct chains, you can take a look at the attached certs attached in this response.

    Regards,
    Faiz



    ------------------------------
    EVVO SOC
    Technical User
    EVVO Labs Pte Ltd
    ------------------------------

    Attachment(s)