Hi everyone. I'm really not an SSL/TLS expert or too familiar with certificates and chains, so this will be a noob question. Bear with me.
I'm running CentOS 6.5 and using Squid reverse proxy. I ran the scan tool against my website. I get this:
|Additional Certificates (if supplied)|
|Certificates provided||3 (3744 bytes)|
|Chain issues||Incomplete, Extra certs, Contains anchor|
|Path #1: Trusted|
|1||Sent by server||outlook.philrigby.us |
RSA 2048 bits / SHA256withRSA
|2||Extra download||COMODO RSA Domain Validation Secure Server CA |
RSA 2048 bits / SHA384withRSA
|3||Extra download||COMODO RSA Certification Authority |
RSA 4096 bits / SHA384withRSA
|4||Sent by server |
In trust store
|AddTrust External CA Root |
RSA 2048 bits / SHA1withRSA
Weak or insecure signature, but no impact on root certificates
So, my questions/issues are:
My chain is incomplete, yet I have "extra" certs?
In the path, #2 and #3 are saying "extra download" - does that mean I have to download and install them? I have all the certs that Comodo provide and I've put them in ca-bundle.crt. Or does it mean the client has to download them from the server?
Also I can't get Forward Secrecy to work but I think that'll be another discussion topic.
Any help/advice appreciated!