<p dir="ltr"><br>
> I'm no expert but I think this has to do with a "certificate chain". In theory, the TLS server only needs to give it's own certificate to the TLS client, or it can optionally send other (intermediate) certificates in the chain, to save the client having to go find them. In practice, the client isn't able to locate the intermediate certificates and so the server generally provides all certificates in the chain as a "certificate bundle".<br>
><br>
> Configuring a web server with only the server's land certificate works just fine if there are no intermediate certificates, such as when the server certificate was issued by a root CA because the client already has the for CA in its trusted certificate store.. But if it was issued by an intermediate CA then the intermediate certificate will not be in the store.<br>
><br>
> The web server should be configured with all certificates in the chain, but sometimes it's not. In such cases it may be possible for libssl (and hence Xymon) to obtain the intermediate certificates and validate them, but not a browser.<br>
><br>
> Actually, I suspect that libssl doesn't validate a trust chain anyway, because unlike a browser, libssl probably has no certificate store. So libssl only checks the reasonableness of a certificate and it's expiry date.<br>
><br>
> J<br>
><br>
> On 28/02/2015 2:24 PM, "Ralph Mitchell" <<a href="mailto:ralphmitchell@gmail.com">ralphmitchell@gmail.com</a>> wrote:<br>
>><br>
>> Having the Xymon server validate the intermediate certificates won't help if they're missing off the server that owns the certificate. The Xymon server would have the certs installed and always get a match.<br>
>><br>
>> Where are the intermediate certs missing? Does the web server even start properly if it can't validate its own cert?<br>
>><br>
>> Ralph Mitchell<br>
>><br>
>><br>
>><br>
>> On Thu, Feb 26, 2015 at 1:51 PM, Eli via Xymon <<a href="mailto:xymon@xymon.com">xymon@xymon.com</a>> wrote:<br>
>>><br>
>>> _______________________________________________<br>
>>> Xymon mailing list<br>
>>> <a href="mailto:Xymon@xymon.com">Xymon@xymon.com</a><br>
>>> <a href="http://lists.xymon.com/mailman/listinfo/xymon">http://lists.xymon.com/mailman/listinfo/xymon</a><br>
>>><br>
>>><br>
>>> ---------- Forwarded message ----------<br>
>>> From: Eli <<a href="mailto:eliap09@yahoo.com">eliap09@yahoo.com</a>><br>
>>> To: Mark Felder <<a href="mailto:feld@feld.me">feld@feld.me</a>><br>
>>> Cc: <a href="mailto:xymon@xymon.com">xymon@xymon.com</a><br>
>>> Date: Thu, 26 Feb 2015 11:50:43 -0700<br>
>>> Subject: Re: [Xymon] Intermediate cert monitoring<br>
>>> The issue was missing or not installed. As you know newer browsers doesn't have problem but the older one show cert error when the intermediate cert missing. We have bunch of cert so some time engineers forget to install the intermediate cert and caused issue. <br>
>>><br>
>>><br>
>>> Mark Felder <<a href="mailto:feld@feld.me">feld@feld.me</a>> wrote:<br>
>>><br>
>>> What was the exact problem with the intermediate certificate? What<br>
>>> should be monitored? Maybe we can come up with a way to add additional<br>
>>> monitoring parameters to Xymon's SSL monitoring if we know exactly what<br>
>>> should be monitored.<br>
>>><br>
>>> My first guess is expiration, but I'm not sure if you can sign a cert if<br>
>>> it expires after your intermediate is due to expire. The only other<br>
>>> thought is if the chain was incomplete...<br>
>>> _______________________________________________<br>
>>> Xymon mailing list<br>
>>> <a href="mailto:Xymon@xymon.com">Xymon@xymon.com</a><br>
>>> <a href="http://lists.xymon.com/mailman/listinfo/xymon">http://lists.xymon.com/mailman/listinfo/xymon</a><br>
>>><br>
>><br>
>><br>
>> _______________________________________________<br>
>> Xymon mailing list<br>
>> <a href="mailto:Xymon@xymon.com">Xymon@xymon.com</a><br>
>> <a href="http://lists.xymon.com/mailman/listinfo/xymon">http://lists.xymon.com/mailman/listinfo/xymon</a><br>
>><br>
</p>