4

I recently purchased a free SSL certificate from Comodo. It came with a certification authority bundle file that contains all of the intermediate certificates as well as the root certificate. When I run the command "openssl s_client -connect www.mydomain.com:443 -showcerts" it shows a certificate path that looks like this:

depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1

depth=3 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware verify return:1

depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO Certification Authority verify return:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = EssentialSSL CA verify return:1

depth=0 OU = Domain Control Validated, OU = Free SSL, CN = www.mydomain.com verify return:1

However, when I go to www.mydomain.com in any browser and look at the certificate presented by the server, it shows the following certificate path (taken from IE9 certificate window):

  1. COMODO
  2. EssentialSSL CA
  3. www.mydomain.com

Notice that there are fewer certificates in the chain (depth of 2 versus 4 from the openssl command), and that the root certificate is the COMODO certificate as opposed to the AddTrust External CA Root certificate. Can someone explain why the browser shows a different path than the openssl command?

Note, in both cases the certificate chain presented by the server passes validation (verify result 0 from openssl, no warnings in the browser).

Derek
  • 235
  • 3
  • 12

1 Answers1

2

IE9 has the comodo ca as a trusted authority in its trust chain, and therefore doesn't show the signers of the comodo ca.

OpenSSL s_client -showcerts shows the whole certificate chain.

beny23
  • 34,390
  • 5
  • 82
  • 85
  • I would agree with you, except that Firefox does the same thing (shows just the 2 depth certificate chain when my server uses the full chain), and it does not have that particular Comodo CA certificate as a trusted authority. I know this because I tried creating a certificate chain file with just the Comodo and the EssentialSSL CA's, and when I use that IE9 validates properly but Firefox does not. OpenSSL s_client -showcerts shows just those two certificates, and it also validates properly in that case when I use -CAfile Comodo.crt. – Derek Mar 28 '12 at 18:08
  • According to this http://www.mozilla.org/projects/security/certs/included/ Firefox does include comodo. – beny23 Mar 28 '12 at 18:35
  • Also certs in Firefox can be checked using Tools - Options - Advanced - Encryption - View Certificates and the Comodo one is there in my firefox. – beny23 Mar 29 '12 at 07:35