AnsweredAssumed Answered

Multiple Certification Paths

Question asked by Kev Johnson on May 13, 2014
Latest reply on Aug 24, 2015 by Ben Spradlin

I'm trying to troubleshoot an issue with a site which is only rearing it's head when accessed through Android devices. I recreated the keys and certs for the site and then installed them - all well and good. My issue is that when the app accesses the site from an Android device I get an "untrusted cert" error.

 

...so I ran it through the checker and was confused to see that there are 2 certification paths (both trusted). The first shows the chain that I built up after recreating the keys and cert (including the intermediate and root certs in the chain), then the second shows my site cert, the intermediate and at that point it gets strange...

 

First, the working chain

 

2Sent by server COMODO SSL CA                                             
SHA1: b4c66180c520bad688470ef80bb22beba8391c22 
RSA 2048 bits                              /                              SHA1withRSA
3Sent by server
In trust store 
AddTrust External CA Root                                             
SHA1: 02faf3e291435468607857694df5e45b68851868 
RSA 2048 bits                              /                              SHA1withRSA

 

And now the broken chain

2Sent by server COMODO SSL CA                                             
SHA1: b4c66180c520bad688470ef80bb22beba8391c22 
RSA 2048 bits                              /                              SHA1withRSA
3Extra download  AddTrust External CA Root                                             
SHA1: 53845e9fd070b7aa36976f536ff1441c578c63d2 
RSA 2048 bits                              /                              SHA1withRSA
4In trust store  UTN - DATACorp SGC                                             
SHA1: 58119f0e128287ea50fdd987456f4f78dcfad6d4 
RSA 2048 bits                              /                              SHA1withRSA

 

That second cert is fine - the thumbprint matches the one in the first chain. The third cert however is what causes me concern, as that then replaces the root cert from the first chain with an intermediate which has a different thumbprint to the working chain. I have no idea how this would work, as from my (granted, very basic) understanding of SSL it shouldn't be possible for an intermediate key to be issued by a root authority AND an intermediate at the same time. As such: riddle me this - what does the fact that there are 2 chains mean, and can you offer any advice on how to fix this?

Outcomes