Can a web server obtain SSL server certificates form two or

Can a web server obtain SSL server certificates form two or more certification authorities? Justify your answer.

SSL (Secure Sockets Layer) is a standard security technology for establishing an encrypted link between a server and a client generally a web server.The SSL protocol has always been used to encrypt and secure transmitted data. Each time a new and more secure version was released, only the version number was altered to reflect the change.The primary reason for using a SSL certificate is to encrypt traffic between your webserver and the client with a \"trusted\" key verified by an independent third party. All communication between the server and the client will be encrypted to protect data integrity. The SSL certificate, when purchased from a \"WebTrust Compliant\" Certificate Authority, can be independently verified by the client through the CA\'s servers.

Certificate Authority sole purpose is the validation of Third party . It allows the client to have a certain amount of initial trust with a server\'s domain name. Understand that the certificate does not actually encrypt the data at all, it is only so that a client can ask a third party if your domain is \"trusted\".If you decide to sign your own ssl certificate and not use an independent Certificate Authority then clients will get an error every time they connect to your site. The error will explain that the SSL certificate can not be verified and the site may not be trusted.

A certificate bought from a trusted Certificate Authority simply means a client can verify the certificate\'s validity through a third party. This does not mean the web page data is securely encrypted, does not mean the data on the site is valid and does not mean that the data can not be compromised on the client or server machines.A SSL certificate simply says that the person or persons who bought the certificate is the same person or persons that own the domain. This is the simplest check done by the Certificate Authority when a certificate request is made.

A Certificate Authority (CA) is the third party the remote client browser will use to verify your SSL certificate against.When connecting, the client will negotiate with your web server and your server will send the public SSL key to the client. The client will then connect independently to the CA to verify the certificate\'s authenticity. Once verified the client will negotiate with your web server to establish a secure connection using SSL encryption.

A web Server can have SSL certificates from more than one CA.Some providers generally use multiple tiers of certificates, so when you purchase a certificate it is generally issued by a subordinate, or issuing certificate authority instead of the root certificate authority. The way that SSL certificate chains work require an end client to only need to trust the top most, or root certificate in the chain, in order to accept the server certificate as valid. But in order to properly present the full SSL chain to a client a server must first have the correct trusted root and intermediate certificate authorities loaded. So the bottom line here is that if you haven’t loaded the full certificate chain on the server then you may see clients have trouble connecting.

Let us consider Verisigns latest chain,If you are using a modern Windows client such as Windows 7 or 2008 R2 you’ll see the VeriSign Class 3 Public Primary Certification Authority – G5 certificate which expires in 2036 with thumbprint 4e b6 d5 78 49 9b 1c cf 5f 58 1e ad 56 be 3d 9b 67 44 a5 e5 installed in the Trusted Root Certification Authorities by default. There is some extra confusion generated because there is also a VeriSign Class 3 Public Primary Certification Authority – G5 certificate which expires in 2021 with thumbprint 32 f3 08 82 62 2b 87 cf 88 56 c6 3d b8 73 df 08 53 b4 dd 27 installed in the Intermediate Certification Authorities by default. The names of these certificates are identical, but they are clearly different certificates expiring on different dates.

What you’ll find after purchasing a VeriSign certificate is that the CA which actually issues your server certificate, VeriSign Class 3 Secure Server CA – G3, is cross-signed by both of the G5 certificates. This means that there are now 2 different certificate chains you could present to clients, but what is actually presented depends on how you configure the server. The two chain options you can present are displayed below, and while one is a bit longer, both paths are valid.

So if a client trusts either of the G5 certificates as a trusted root, it will trust any certificate issued by a subordinate CA such as the G3. What ends up happening is that the certificate chain will look correct when a Windows 7 or 2008 R2 server connects to it, because those operating systems already have the 2036 G5 CA as a trusted root. You’ll see only 3 tier chain presented, and the connection will work just fine.

There’s nothing actually wrong with this if all you have are newer clients. In fact, that’s one advantage of cross-signing – that a client can leverage the shortest possible certificate chain. But any kind of downlevel client, such as Lync Phone Edition, does not trust that newer G5 CA by default. This means that when those devices try to connect to the site they are presented with the 2036 G5 certificate as the top-level root CA, and since they do not trust that root they will drop the connection. In order to support the lowest common denominator of devices the chain should actually contain 4 tiers. Older devices typically have the VeriSign Class 3 Public Primary CA already installed as a trusted root, so you may get better compatibility this way.

In order for a server to present the full chain you must log on to each server hosting the certificate and open the certificates MMC for the local computer. Locate the VeriSign Class 3 Public Primary Certification Authority – G5 certificate in the Trusted Root Certification Authority node, right-click, and open the Properties. Select Disable all purposes for this certificate and press OK to save your changes.

By disabling the incorrect trusted root certificate the server will now be presenting the full chain. The big ‘gotcha’ here is that you can’t easily test this. If you browse to the site from a Windows 7 client and open the Certification Path tab for the certificate it’s still going to look the same as before. The reason for this is that Windows 7 also has the VeriSign Class 3 Public Primary Certification Authority – G5 certificate in the Trusted Root Certification Authorities machine node by default. And because Windows 7 trusts that as a root CA, it will trust any certificate below that point. Certificate testing tools you find on the Internet also aren’t going to be much help here because they also already trust the 2036 G5 certificate. The only way you can verify the full chain is to delete or disable that cert from the client you’re testing on. And no, this is not something you should ever attempt on multiple machines – I’m suggesting this only for testing purposes. If you’re using any kind of SSL decryption at a load balancer to insert cookies for persistence you’ll want to make sure the load balancer admin has loaded the full chain as well.

So now you’ve fixed the chain completely, and after the next Windows Update cycle you’ll probably find the G5 certificate enabled again on the server. The root certificate updates for Windows will actually re-enable this certificate for you, and result in a broken chain for older clients again. In order to prevent this from occurring you can disable automatic root certificate updates from installing via Windows Update. This can be controlled through a Group Policy setting.

Can a web server obtain SSL server certificates form two or more certification authorities? Justify your answer.SolutionSSL (Secure Sockets Layer) is a standard

Can a web server obtain SSL server certificates form two or

Solution

Get Help Now

Submit a Take Down Notice