AnsweredAssumed Answered

Chain Issues, Incorrect order contains anchor

Question asked by Mark Haddon on Jun 6, 2019
Latest reply on Jun 11, 2019 by Mark Haddon

Sorry if this is posted to the wrong place

 

I'm migrating from TMG to Loadbalancer for reverse proxy and I'm a bit confused about why the same cert passes SSL Labs server scans for TMG reverse proxied sites but shows chain issues (incorrect order, contains anchor) for sites loadbalanced through Loadbalancer.org virtual appliances. 

 

https://www.ssllabs.com/ssltest/analyze.html?d=generationne.co.uk&hideResults=on

 

I usually export the site certs from the TMG server into a pfx cert with private key, all certificates and extended properties and then install this pfx onto Loadbalancer.  I think that Loadbalancer converts the pfx cert to a pem cert as part of the import process.

 

If I run a shell command to view the cert content it does look as if the cert is in an incorrect order with the root cert coming second.  I've cut out a lot of data for this and I'm just showing section headers (probably unnecessarily)

 

Bag Attributes
    Microsoft Local Key set: <No Values>
    localKeyID: 
    friendlyName: 
    Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
    X509v3 Key Usage:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

 

Bag Attributes
    localKeyID: 
    friendlyName:  our website certificate
subject=/C=
issuer=/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

 

Bag Attributes
    friendlyName: QuoVadis Root CA 2 G3
subject=/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 G3
issuer=/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 G3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

 

Bag Attributes
subject=/C=BM/O=QuoVadis Limited/CN=QuoVadis Global SSL ICA G3
issuer=/C=BM/O=QuoVadis Limited/CN=QuoVadis Root CA 2 G3
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

 

Is it possible that Loadbalancer is actually showing the cert as it is and that TMG is somehow changing the way the cert is presented?  And by TMG I suppose I mean Windows 2008 R2.  Yeah I know, hence the migration to Loadbalancer  

 

Anyone have any ideas?   I have to be honest in that I find a lot of cert/security stuff to be black magic 

Outcomes