SSL certificate: incorrect order
Your file should contain
- Your certificate
- The intermediate certificate that signed your certificate
- Any other intermediate certificates, in order
Your file should NOT contain the root certificate.
In other words:
- Cert 0's subject should be you
- Cert 0's issuer should equal cert 1's subject
- Cert 1's issuer should equal cert 2's subject
- ...
- Cert n's issuer should equal the root's subject
- The root's issuer should by definition be equal to its subject (otherwise it's not a root certificate).
Are you using linux with openssl? If so I can provide a script to check this.
I just connected to your site using
$ openssl s_client -showcerts -connect goout.cz:443 2> /dev/null | grep ' [0-9 ] [is]:'
0 s:/serialNumber=01901613/jurisdictionC=CZ/jurisdictionST=Prague/jurisdictionL=Prague 3/businessCategory=Private Organization/C=CZ/postalCode=130 00/ST=Prague/L=Prague 3/street=Husinecka 792/25/O=GoOut s.r.o./OU=Technical/OU=COMODO EV SSL/CN=goout.cz
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA
1 s:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
2 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
i:/C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
3 s:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Extended Validation Secure Server CA
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Certification Authority
^C
It seems you have a file with four certificates, and to get a perfect score you should remove the second one and exchange the last two.
Related videos on Youtube
Vojtěch
Updated on September 18, 2022Comments
-
Vojtěch over 1 year
I have SSL EV certificate for https://goout.cz. According to this test we are getting A+:
https://www.ssllabs.com/ssltest/analyze.html?viaform=on&d=goout.cz
However I get warning for "Incorrect order, Contains Anchor".
But this test: https://cryptoreport.websecurity.symantec.com/checker/views/certCheck.jsp
Says: Certificate not installed correctly.
So far I am unable to find the issue. I thought I might have wrongly concatenated the main and intermediate certificates, but I checked that the main certificate is first and then the intermediate certificates are following.
Thanks.
-
Vojtěch about 8 yearsThanks for explanation, this makes sense! Do you know why they put the second certificate (which I removed on your suggestion) in the set of Intermediate certificates whereas it should not be there? Anyway, the cryptoreport is now correct, but ssllabs still says incorrect order :/
-
Law29 about 8 yearsI think it was just a cache problem; I just did the ssllabs test on your site and nothing is "incorrect" at all, you have an A+ grade :) As for the root cert in the intermediates . . . no idea!