Certificate chain for imported bundle not as expected
Article ID: 404667
Updated On:
Products
VMware Avi Load Balancer
Issue/Introduction
- When importing a certificate bundle with the full chain, the chain will not necessarily be preserved.
- The certificate chain seen in the UI may be different from the expected chain.
Environment
- Any Avi deployment across all supported versions.
- Environments with cross-signed certificates are susceptible to this issue.
Cause
- Avi uses a custom chaining logic when choosing a parent cert for a given certificate.
- Even when the certificate is imported as a bundle, all the certificates in the bundle are imported as separate certificates.
- Thus, the signing cert for each will be chosen based on our chaining logic.
- The signing cert is chosen based on:
- The Common Name of the Issuer cert
- Later Expiry Date
- Following this logic, for example, if there are 2 Issuer certificates with the Common Name: USERTrust RSA Certification Authority, the one with the later expiry date will be picked.
- Once the signing certificate is identified, we verify the correctness internally using openssl:
openssl verify -partial_chain -trusted <parent_cert> <child_cert> - These steps will then be repeated for the next cert in the chain.
Resolution
- In environments where there are cross-signed certificates, there will be multiple Intermediate/Root certificates with the same Common Name.
- When a certificate goes through the chaining process highlighted above, it is possible a different chain is picked.
- However, the chain that is determined is verified for correctness through openssl as well. This is by design.
Additional Information
- This is most commonly seen in environments which use multiple Sectigo Certificates.
- They have 4 Trust chains with some overlap on the Issuer cert common names.
- However, all the 4 chains are valid.
- Ref: https://support.sectigo.com/articles/Knowledge/Sectigo-Chain-Hierarchy-and-Intermediate-Roots
Feedback
Yes
No
Powered by
