SSL Cert Expire or Caching issue, don't understand
I've seen this before, where application or browsers fails to establish an SSL connection with a "Certificate expired" warning even though the SSL certificate in question is within its validity period - the test routine that actually fails is not a validity test of the end certificate but of the overall trust chain - this is sometimes referred to as a "peer verification" routine.
It might be because you trust an older version of one of the intermediate certificates - in this case it's not the SSL Certificate that is expired, but one of the certificates in the chain that your client builds to test the validity of the certificate:
(3) --- Verisign Root CA
(2) --> Verisign top Intermediate CA
(1) --> Verisign Issuing CA
(0) --> SSL Certificate
If you computer just has the Verisign Root CA certificate(3) in it's store of trusted CA certificates, it will rely on the chain of intermediate certs sent by the web server at www.bt.com:443
If the intermediates - cert (2) and/or (1) in the chain - have been reissued/replaced by newer certificates, but you have the previous version of these certificates stored in your intermediate trust store, the client might try to build the above chain using one of these, and will fail if they've expired
You can inspect the certificates that Chrome trust:
- Go to
chrome://settings/
(Or click the customize button in the upper right corner and select Settings) - In the bottom, click "Show advanced settings"
- Under HTTPS/SSL, click "Manage Certificate"
- Inspect the contents of the different stores (names and number of trust stores will vary depending on the underlying operating system)
From here, you should be able to import new and remove old certificates as well.
To see the actual certs presented in the chain by the web server, use openssl:
openssl s_client -connect www.bt.com:443 -showcerts
CasperB
Updated on September 18, 2022Comments
-
CasperB over 1 year
If I visit BT's site in Chrome I get this ... http://imgur.com/b05alsX It looks like the cert has expired. (Similar in Firefox)
BT claim it isn't. https://twitter.com/BTCare/status/440405157999030272
And indeed this page http://www.digicert.com/help/ says expiry "September 24, 2014 (205 days from today)" for "www.bt.com"
One of my devices I saw this on yesterday is now not showing the error. But some of my devices still are. One of my friends has no problems. Basically some work and some don't.
What's going on?
Note I don't work for BT, I just use one of their services. As I do use SSL certs on my own servers I would love to know what is going on.
Is the old cert cached somewhere? Where would this cache be? BT's server level (maybe a load balancer or something), ISP, DNS, device?
Thanks in advance!
-
CasperB about 10 yearssupport.mozilla.org/en-US/questions/954856 says "This is a query that we come across every day. The client has an old certificate, renewed and installed the new certificate, but the old certificate is still showing. This usually means that the old certificate is still used somewhere within the network, such as a load balancing device or a frontend firewall. Online certificate checkers maybe checking on server/network, while the issue is actually somewhere else."
-