One of the common issues with certificate validity is keeping track of the CA chain to see if it's been corrupted. Another issue is keeping track of intermediate certificates to see if they have been removed. This means that the server which is responsible for providing proof of SSL certificate validity does not send the full chain required for a certificate to be validated.
Consequently, this causes browsers not to trust SSL connections from this server, showing a warning when an SSL connection is requested.
Identifying the problem
- Navigate to the GeoCerts testing tool.
-
Enter your (CDN) domain in the provided field, leave it on port 443 and hit "Check SSL":
-
The resulting chain (if broken) should look like:
Resolution
-
Find the offending chain key and click on Download to get the missing piece and implement it in your existing CA installed:
- Navigate to Edge SSL settings for your zone and place the provided missing certificate in the appropriate place - In this example, the missing part should be placed between third and fourth certificate:
-----BEGIN CERTIFICATE----- *************************** -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- *************************** -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- *************************** -----END CERTIFICATE-----
This is where missing part should be placed
-----BEGIN CERTIFICATE----- *************************** -----END CERTIFICATE----- -
The corrected chain should look like the following:
If you have any questions about the content of this article, please feel free to reach out to the Support Team for assistance, we're available 24/7 for your convenience.