SSL Certificate - Certification Path in browser di

2019-05-14 08:58发布

I recently purchased a free SSL certificate from Comodo. It came with a certification authority bundle file that contains all of the intermediate certificates as well as the root certificate. When I run the command "openssl s_client -connect www.mydomain.com:443 -showcerts" it shows a certificate path that looks like this:

depth=4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root verify return:1

depth=3 C = US, ST = UT, L = Salt Lake City, O = The USERTRUST Network, OU = http://www.usertrust.com, CN = UTN-USERFirst-Hardware verify return:1

depth=2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO Certification Authority verify return:1

depth=1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = EssentialSSL CA verify return:1

depth=0 OU = Domain Control Validated, OU = Free SSL, CN = www.mydomain.com verify return:1

However, when I go to www.mydomain.com in any browser and look at the certificate presented by the server, it shows the following certificate path (taken from IE9 certificate window):

  1. COMODO
  2. EssentialSSL CA
  3. www.mydomain.com

Notice that there are fewer certificates in the chain (depth of 2 versus 4 from the openssl command), and that the root certificate is the COMODO certificate as opposed to the AddTrust External CA Root certificate. Can someone explain why the browser shows a different path than the openssl command?

Note, in both cases the certificate chain presented by the server passes validation (verify result 0 from openssl, no warnings in the browser).

1条回答
来,给爷笑一个
2楼-- · 2019-05-14 09:44

IE9 has the comodo ca as a trusted authority in its trust chain, and therefore doesn't show the signers of the comodo ca.

OpenSSL s_client -showcerts shows the whole certificate chain.

查看更多
登录 后发表回答