Imperva Cyber Community

Expand all | Collapse all

Certificate Chain issue

  • 1.  Certificate Chain issue

    Posted 05-01-2020 02:05
    Dear Team,

    I have seen an issue yesterday.
    We have an application behind WAF with TRP enabled and in active mode.
    Suddenly, it became inaccessible and we found that when the application is in active mode the certificate chain is not completed.
    I am not sure if the application server team has reinstalled the SSL certificate at their end but i had removed the current SSL certificate from WAF and redeployed the same pfx on it.
    Then, the application started working fine in active mode.

    So, i have a doubt in mind
    How redploying the same SSL certificate worked?
    Is it a kind of misbehave of the appliance.

    Please help in this regard with your experiences.

    Thanks !
    #On-PremisesWAF(formerlySecuresphere)

    ------------------------------
    Pankaj Chouhan
    Inspira Enterprise India Pvt. Ltd.
    Mumbai
    ------------------------------


  • 2.  RE: Certificate Chain issue

    Community Manager
    Posted 05-01-2020 08:32
    @Pankaj Chouhan, thanks for using community first to try to get an answer. In this case, there is no general answer for this. What you are describing should not be happening. This particular used case needs to be analyzed through our support team. Please create a support case here, and they can take if from there.

    Once you do get a solution, I'm positive that the community would want to hear about it. If you don't mind posting the solution afterwards, then it would be greatly appreciated. 

    ------------------------------
    Christopher Detzel
    Community Manager
    Imperva
    ------------------------------



  • 3.  RE: Certificate Chain issue

    Posted 05-02-2020 04:48
    Hi,
    Thanks for your reply.
    I will work with support team surely to understand the issue.
    Can you please help to understand how exactly WAF works with the SSL certificate deployed on MX.
    We could see the error that the "server is not sending the required intermediate certificate".
    We could see this error on digicert.com website at the time of issue.

    Thanks !

    ------------------------------
    Pankaj Chouhan
    Inspira Enterprise India Pvt. Ltd.
    Mumbai
    ------------------------------



  • 4.  RE: Certificate Chain issue

    Posted 30 days ago
    Hi Pankaj,

    While MX is in TRP mode, MX accepts connections on behalf of backend server. I think you might have installed certificate without intermediate in it. There are many websites that can check ssl installation. You can also check certificate using openssl prior to uploading on MX.

    ------------------------------
    Shantanu Chaurasia
    ------------------------------



  • 5.  RE: Certificate Chain issue

    Posted 30 days ago
    Hi Shantanu,

    Yes its true that WAF accepts connections on behalf of backen server.
    But, the certificate which we used for this particular application was installed a long time back and was perfectly working.
    Suddenly we found that the application was not accessible and also found intermediate certificate issue.
    Can you please help me to understand the process how WAF maintains the certificate chain at time of packet encryption/decryption?

    Thanks !

    ------------------------------
    Pankaj Chouhan
    Inspira Enterprise India Pvt. Ltd.
    Mumbai
    ------------------------------



  • 6.  RE: Certificate Chain issue

    Imperva Employee
    Posted 24 days ago
    Hi Pankaj,

    When leveraging TRP mode, it is very important that the certificate uploaded contains the full trusted chain. (including intermediate(s) and root) There is no separate store within SecureSphere for the root and intermediate; it must be contained within the chain. 

    When operating in bridge mode, this is not an issue as the connection is not terminated as it is in TRP mode.

    This can create a situation where a site is working as expected in bridge mode, but suddenly fails if TRP is enabled.

    Unfortunately, it is not possible to determine within the console if the full trusted chain is contained within the certificate. This means that if you are not 100% certain the existing certificate contains the full chain, it is recommended to re-upload the SSL certificates containing the full chain for any sites that are moving from bridge mode to TRP.

    ------------------------------
    Jaired Anderson
    Principal Consultant
    Imperva
    Tulsa OK
    ------------------------------