Thursday, August 9, 2007

Embedding an Intermediate Certificate Into Your SSL Certificate

Based on the number of forum postings and blog entries that I have run across, VeriSign's expired intermediate certificate still continues to be a problem for many people, so I didn't feel too badly when it started causing troubles for us recently.

When you get a cert from VeriSign, they don't actually sign it directly with their root CA cert.  Instead, they use an intermediate cert that in turn has been signed by the root cert.  This is all well and good since it allows them to limit exposure of their CA cert, while their customers still get the "security" they are looking for.

The crux of the issue is validation of the cert chain.  Every cert in the chain has to be valid in order for the SSL cert itself to be considered valid.  The problem is that there are still a lot of applications (mainly browsers) out there whose cert stores still have expired copies of VeriSign's intermediate cert, even though a renewed version has been available for quite a while.

Since SSL certs are most commonly used by web servers, the solution is to simply make sure the server has the renewed cert in its cert store.  VeriSign provides clear directions on how to do this for all of the major web servers.  However, if the SSL cert is being used by another web server, or if it is being used in a third party tool's web administration console, things may get a little more complicated.  In those cases, it may be easier just to embed the intermediate cert directly into the SSL cert.

You can do this with OpenSSL by issuing the following command:

openssl pkcs12 -export -in <VeriSignIssuedCert> -out <NewSSLCert> -inkey <KeyUsedToCreateCSRRequest> -certfile <VeriSignIntermediateCert>

Embedding the intermediate cert no longer makes it necessary for the client application to have its own local copy since it is already contained in the SSL cert.  And better yet, it also means you don't have to remember to install it in the cert store of every new web server that you create.

No comments: