AnsweredAssumed Answered

Problem Http Public Key Pinning - Two different Root Certificates

Question asked by Jürgen Auer on Aug 4, 2017
Latest reply on Aug 5, 2017 by Jürgen Auer

Hello @All,

 

first, I had a mysterious observation. Now I found the reason. But it's again mysterious.

 

I am using Http Public Key Pinning with *.server-daten.de. The root certificate is pinned. No problem.

 

Now I transformed a second domain, sql-und-xml.de to the same IP-Address. Own www-service, own, new certificate.

 

Added HPKP with the Root Certificate, used the Pin SHA256 - Information found with https://www.ssllabs.com/ssltest/ .

 

This is the "GlobalSign Root CA" / Pin SHA256: K87oWBWM9UZfyddvDfoxL+8lpNyoUB2ptGtn0fv6G2Q= .

 

Tested with a FireFox - browser there, all worked. No warning.

 

Tested with a FireFox - browser local: Red warnings:

 

> Public-Key-Pins: Die Website gab eine Kopfzeile an, die keinen übereinstimmenden Pin-Eintrag enthielt.[Weitere Informationen]

 

The same, actual browser, used on two different places: One is ok, the other is broken.

 

First idea: A conflict with the other domain at the same ip. A misconfiguration. Possible? Who knows?

 

Second idea: A FireFox-Bug?

 

Third idea: My local computer has a problem, a man in the middle? But the second and the third certificate are the same.

 

Then I pinned the second certificate. AlphaSSL CA - SHA256 - G2. No problem. No warnings.

 

--

 

The solution:

 

On the local machine, the Root Certificate is "GlobalSign Root CA - R3" (Windows 10).

 

GlobalSign Root CA R3

 

On the other machine, the Root Certificate is "GlobalSign Root CA" (Windows 2012 Server).

 

GlobalSign Root CA

 

So the same second certificate has different root certificates. And pinning the root certificate produced the problem with a browser, that knows only the other root certificate.

 

Is it possible (Ssl-Check) to show these two different root certificates?

 

Thanks!

Outcomes