Thank You for reading.
I have a test server built where I am trying to implement a encrypt communication using SSL/TLS. The communication is between IIS (web server, where asp.net application is published) and NGINX at the remote server.
I am having problem establishing communication as the IIS sends an empty certificate to NGINX when NGINX sends a certificate request to IIS. The intermediate certificate in the windows server is what the NGINX is expecting.
I have found that there is a broken link between SSL certificate of ASP.NET application and the intermediate certificate.
This is the inhouse dev environment, so the ssl/tls communication should be eastablished using self-assigned certificate only.
Now, when I checked the SSL using online checker, I receive the following snapshot.
I believe that the broken link here may be the reason of the lack of encrypt communication. I am not sure.
Thank You for reading my post.
Answer
Your chain has no intermediates, so they can't be sent.
Over TLS the End-Entity certificate (either client or server auth, depending on who is sending it) is transmitted, along with any intermediates, but NOT the self-issued root certificate.
Your system will need to have already had the root certificate to determine trust, and your system will need to have already had a way of building chains, so the TLS implementors decided that sending the root certificate is a waste of bytes on the wire.
* Root
|
-- * Intermediate 1
|
-- * Intermediate 2
|
-- * Intermediate 3
|
...
|
-- * End-Entity / Leaf
Most modern infrastructure is Root -> One Intermedate -> End-Entity.
No comments:
Post a Comment