Monthly Archives: June 2011

SSL certificate weirdness

Recently we moved the WOU forums server to a better machine, but then we noticed that Internet Explorer was no longer accepting the server’s SSL certificate, so it couldn’t make a secure connection. Firefox, on the other hand, was perfectly fine with the cert and established a perfectly valid SSL connection.

Those of you who are all up on modern web security practices probably recognize this problem already, but I didn’t have the relevant information and was completely boggled.

When I looked at our certificate vendor’s support site for the third or fourth time, I found a certificate installation checker. It was right there on the support homepage all along, but I guess you tend to miss things if you’re only focusing in on your latest guess rather than keeping the main problem in your mind.
Anyway, this checker lets you enter a hostname and port and it will tell you if the cert on that connection is valid, and if not, what’s wrong with it. That told me that the forums server was missing two intermediate CA certs. I didn’t understand what was up with that, but it gave me the certs to install, so I shrugged and dropped them into the webserver’s cert DB and voila– IE quit complaining and reported a valid secure connection.
I still didn’t understand what was going on and why that solution worked, so I did a bit of digging around.
Apparently in recent years, certification authorities have moved from signing customer certs directly with a root certificate, to signing them with an intermediate certificate which is signed by the CA’s root (or possibly by a higher-level intermediate cert that is signed by the root). All modern browsers come with root certs from many different certification authorities, but that is no longer enough by itself because most site certs are no longer directly signed by the CA root.
Firefox has a bunch of intermediate certs installed in it by default, so it can validate certs from sites that don’t provide the whole chain. IE on the other hand only has the root certs, so unless a webserver provides the intermediate certs, IE users are out of luck (insert obligatory firefox-is-better assertion here.)
I suppose at some point I could explain about SSL and certificates and signing and all that, but maybe later.