Imperva Cyber Community

Dear Team,

I have seen an issue yesterday.
We have an application behind WAF with TRP enabled and in active mode.
Suddenly, it became inaccessible and we found that when the application is in active mode the certificate chain is not completed.
I am not sure if the application server team has reinstalled the SSL certificate at their end but i had removed the current SSL certificate from WAF and redeployed the same pfx on it.
Then, the application started working fine in active mode.

So, i have a doubt in mind
How redploying the same SSL certificate worked?
Is it a kind of misbehave of the appliance.

Please help in this regard with your experiences.

Thanks !
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
------------------------------

@Pankaj Chouhan, thanks for using community first to try to get an answer. In this case, there is no general answer for this. What you are describing should not be happening. This particular used case needs to be analyzed through our support team. Please create a support case here, and they can take if from there.

Once you do get a solution, I'm positive that the community would want to hear about it. If you don't mind posting the solution afterwards, then it would be greatly appreciated. 

------------------------------
Christopher Detzel
Community Manager
Imperva
------------------------------

Original Message:
Sent: 05-01-2020 02:04
From: Pankaj Chouhan
Subject: Certificate Chain issue

Dear Team,

I have seen an issue yesterday.
We have an application behind WAF with TRP enabled and in active mode.
Suddenly, it became inaccessible and we found that when the application is in active mode the certificate chain is not completed.
I am not sure if the application server team has reinstalled the SSL certificate at their end but i had removed the current SSL certificate from WAF and redeployed the same pfx on it.
Then, the application started working fine in active mode.

So, i have a doubt in mind
How redploying the same SSL certificate worked?
Is it a kind of misbehave of the appliance.

Please help in this regard with your experiences.

Thanks !
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
------------------------------

Hi,
Thanks for your reply.
I will work with support team surely to understand the issue.
Can you please help to understand how exactly WAF works with the SSL certificate deployed on MX.
We could see the error that the "server is not sending the required intermediate certificate".
We could see this error on digicert.com website at the time of issue.

Thanks !

------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
------------------------------

Original Message:
Sent: 05-01-2020 08:32
From: Christopher Detzel
Subject: Certificate Chain issue

@Pankaj Chouhan, thanks for using community first to try to get an answer. In this case, there is no general answer for this. What you are describing should not be happening. This particular used case needs to be analyzed through our support team. Please create a support case here, and they can take if from there.

Once you do get a solution, I'm positive that the community would want to hear about it. If you don't mind posting the solution afterwards, then it would be greatly appreciated. 

------------------------------
Christopher Detzel
Community Manager
Imperva

Original Message:
Sent: 05-01-2020 02:04
From: Pankaj Chouhan
Subject: Certificate Chain issue

Dear Team,

I have seen an issue yesterday.
We have an application behind WAF with TRP enabled and in active mode.
Suddenly, it became inaccessible and we found that when the application is in active mode the certificate chain is not completed.
I am not sure if the application server team has reinstalled the SSL certificate at their end but i had removed the current SSL certificate from WAF and redeployed the same pfx on it.
Then, the application started working fine in active mode.

So, i have a doubt in mind
How redploying the same SSL certificate worked?
Is it a kind of misbehave of the appliance.

Please help in this regard with your experiences.

Thanks !
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
------------------------------

Hi Pankaj,

While MX is in TRP mode, MX accepts connections on behalf of backend server. I think you might have installed certificate without intermediate in it. There are many websites that can check ssl installation. You can also check certificate using openssl prior to uploading on MX.

------------------------------
Shantanu Chaurasia
------------------------------

Original Message:
Sent: 05-02-2020 04:47
From: Pankaj Chouhan
Subject: Certificate Chain issue

Hi,
Thanks for your reply.
I will work with support team surely to understand the issue.
Can you please help to understand how exactly WAF works with the SSL certificate deployed on MX.
We could see the error that the "server is not sending the required intermediate certificate".
We could see this error on digicert.com website at the time of issue.

Thanks !

------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai

Original Message:
Sent: 05-01-2020 08:32
From: Christopher Detzel
Subject: Certificate Chain issue

@Pankaj Chouhan, thanks for using community first to try to get an answer. In this case, there is no general answer for this. What you are describing should not be happening. This particular used case needs to be analyzed through our support team. Please create a support case here, and they can take if from there.

Once you do get a solution, I'm positive that the community would want to hear about it. If you don't mind posting the solution afterwards, then it would be greatly appreciated. 

------------------------------
Christopher Detzel
Community Manager
Imperva

Original Message:
Sent: 05-01-2020 02:04
From: Pankaj Chouhan
Subject: Certificate Chain issue

Dear Team,

I have seen an issue yesterday.
We have an application behind WAF with TRP enabled and in active mode.
Suddenly, it became inaccessible and we found that when the application is in active mode the certificate chain is not completed.
I am not sure if the application server team has reinstalled the SSL certificate at their end but i had removed the current SSL certificate from WAF and redeployed the same pfx on it.
Then, the application started working fine in active mode.

So, i have a doubt in mind
How redploying the same SSL certificate worked?
Is it a kind of misbehave of the appliance.

Please help in this regard with your experiences.

Thanks !
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
------------------------------

Hi Shantanu,

Yes its true that WAF accepts connections on behalf of backen server.
But, the certificate which we used for this particular application was installed a long time back and was perfectly working.
Suddenly we found that the application was not accessible and also found intermediate certificate issue.
Can you please help me to understand the process how WAF maintains the certificate chain at time of packet encryption/decryption?

Thanks !

------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
------------------------------

Original Message:
Sent: 05-02-2020 20:34
From: Shantanu Chaurasia
Subject: Certificate Chain issue

Hi Pankaj,

While MX is in TRP mode, MX accepts connections on behalf of backend server. I think you might have installed certificate without intermediate in it. There are many websites that can check ssl installation. You can also check certificate using openssl prior to uploading on MX.

------------------------------
Shantanu Chaurasia

Original Message:
Sent: 05-02-2020 04:47
From: Pankaj Chouhan
Subject: Certificate Chain issue

Hi,
Thanks for your reply.
I will work with support team surely to understand the issue.
Can you please help to understand how exactly WAF works with the SSL certificate deployed on MX.
We could see the error that the "server is not sending the required intermediate certificate".
We could see this error on digicert.com website at the time of issue.

Thanks !

------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai

Original Message:
Sent: 05-01-2020 08:32
From: Christopher Detzel
Subject: Certificate Chain issue

@Pankaj Chouhan, thanks for using community first to try to get an answer. In this case, there is no general answer for this. What you are describing should not be happening. This particular used case needs to be analyzed through our support team. Please create a support case here, and they can take if from there.

Once you do get a solution, I'm positive that the community would want to hear about it. If you don't mind posting the solution afterwards, then it would be greatly appreciated. 

------------------------------
Christopher Detzel
Community Manager
Imperva

Original Message:
Sent: 05-01-2020 02:04
From: Pankaj Chouhan
Subject: Certificate Chain issue

Dear Team,

I have seen an issue yesterday.
We have an application behind WAF with TRP enabled and in active mode.
Suddenly, it became inaccessible and we found that when the application is in active mode the certificate chain is not completed.
I am not sure if the application server team has reinstalled the SSL certificate at their end but i had removed the current SSL certificate from WAF and redeployed the same pfx on it.
Then, the application started working fine in active mode.

So, i have a doubt in mind
How redploying the same SSL certificate worked?
Is it a kind of misbehave of the appliance.

Please help in this regard with your experiences.

Thanks !
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
------------------------------

Hi Pankaj,

When leveraging TRP mode, it is very important that the certificate uploaded contains the full trusted chain. (including intermediate(s) and root) There is no separate store within SecureSphere for the root and intermediate; it must be contained within the chain. 

When operating in bridge mode, this is not an issue as the connection is not terminated as it is in TRP mode.

This can create a situation where a site is working as expected in bridge mode, but suddenly fails if TRP is enabled.

Unfortunately, it is not possible to determine within the console if the full trusted chain is contained within the certificate. This means that if you are not 100% certain the existing certificate contains the full chain, it is recommended to re-upload the SSL certificates containing the full chain for any sites that are moving from bridge mode to TRP.

------------------------------
Jaired Anderson
Principal Consultant
Imperva
Tulsa OK
------------------------------

Original Message:
Sent: 05-03-2020 05:39
From: Pankaj Chouhan
Subject: Certificate Chain issue

Hi Shantanu,

Yes its true that WAF accepts connections on behalf of backen server.
But, the certificate which we used for this particular application was installed a long time back and was perfectly working.
Suddenly we found that the application was not accessible and also found intermediate certificate issue.
Can you please help me to understand the process how WAF maintains the certificate chain at time of packet encryption/decryption?

Thanks !

------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai

Original Message:
Sent: 05-02-2020 20:34
From: Shantanu Chaurasia
Subject: Certificate Chain issue

Hi Pankaj,

While MX is in TRP mode, MX accepts connections on behalf of backend server. I think you might have installed certificate without intermediate in it. There are many websites that can check ssl installation. You can also check certificate using openssl prior to uploading on MX.

------------------------------
Shantanu Chaurasia

Original Message:
Sent: 05-02-2020 04:47
From: Pankaj Chouhan
Subject: Certificate Chain issue

Hi,
Thanks for your reply.
I will work with support team surely to understand the issue.
Can you please help to understand how exactly WAF works with the SSL certificate deployed on MX.
We could see the error that the "server is not sending the required intermediate certificate".
We could see this error on digicert.com website at the time of issue.

Thanks !

------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai

Original Message:
Sent: 05-01-2020 08:32
From: Christopher Detzel
Subject: Certificate Chain issue

@Pankaj Chouhan, thanks for using community first to try to get an answer. In this case, there is no general answer for this. What you are describing should not be happening. This particular used case needs to be analyzed through our support team. Please create a support case here, and they can take if from there.

Once you do get a solution, I'm positive that the community would want to hear about it. If you don't mind posting the solution afterwards, then it would be greatly appreciated. 

------------------------------
Christopher Detzel
Community Manager
Imperva

Original Message:
Sent: 05-01-2020 02:04
From: Pankaj Chouhan
Subject: Certificate Chain issue

Dear Team,

I have seen an issue yesterday.
We have an application behind WAF with TRP enabled and in active mode.
Suddenly, it became inaccessible and we found that when the application is in active mode the certificate chain is not completed.
I am not sure if the application server team has reinstalled the SSL certificate at their end but i had removed the current SSL certificate from WAF and redeployed the same pfx on it.
Then, the application started working fine in active mode.

So, i have a doubt in mind
How redploying the same SSL certificate worked?
Is it a kind of misbehave of the appliance.

Please help in this regard with your experiences.

Thanks !
#On-PremisesWAF(formerlySecuresphere)

------------------------------
Pankaj Chouhan
Inspira Enterprise India Pvt. Ltd.
Mumbai
------------------------------