On Wed, Jan 19, 2022 at 01:09:09PM -0500, Wayne Spivak wrote:
> This from SSL Labs states "self-signed":
Their report is misleading.
> 1 Sent by server mcq.sbanetweb.com
> Fingerprint SHA256:
> 1b48d54fd173fa980ca0ba8e2bbb5aabce3bbb9faf67bae4f375816155699efe
> Pin SHA256: D9BrKzFpjkpGhv91bgkZqQIWlqPNIHPHmIhYYwDChGY=
> RSA 2048 bits (e 65537) / SHA256withRSA
The actual certificate list returned consists of just the server
certificate, and is missing the intermediate issuer(s). See below.
> If it is an Intermediate, I refer to my orginal email, "where am I going
> wrong".
Your certificate file contains only the server certificate, it should,
after the server certificate, which must be listed first, also contain
the certificates of any intermediate or cross certificates needed to
complete the chain to a trusted root CA.
You're missing at least the certificate of the intermediate issuer CA
with a "CommonName" of "Entrust Certification Authority - L1K":
$ posttls-finger -cC -lsecure '[mcq.sbanetweb.com]'
posttls-finger: certificate verification failed for
mcq.sbanetweb.com[96.224.250.24]:25: untrusted issuer /C=US/O=Entrust,
Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for
authorized use only/CN=Entrust Certification Authority - L1K
posttls-finger: mcq.sbanetweb.com[96.224.250.24]:25:
subject_CN=mcq.sbanetweb.com, issuer_CN=Entrust Certification Authority - L1K,
fingerprint=1E:69:25:44:74:52:B4:C5:AA:C4:9F:7C:E8:F7:0B:96:A7:35:A9:F6:60:1F:D4:07:30:CD:B3:6B:99:69:88:EC,
pkey_fingerprint=89:F7:3F:9B:2F:6F:F1:51:7B:4E:4C:CD:D5:5D:CB:C7:CE:CA:75:C9:CF:D8:73:EB:08:D2:71:1A:48:8E:FC:CD
posttls-finger: Untrusted TLS connection established to
mcq.sbanetweb.com[96.224.250.24]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384
(256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)
server-digest SHA256
---
Certificate chain
0 subject: /C=US/ST=New York/L=Bellmore/O=SBA Consulting
LTD/CN=mcq.sbanetweb.com
issuer: /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c)
2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority
- L1K
cert
digest=1E:69:25:44:74:52:B4:C5:AA:C4:9F:7C:E8:F7:0B:96:A7:35:A9:F6:60:1F:D4:07:30:CD:B3:6B:99:69:88:EC
pkey
digest=89:F7:3F:9B:2F:6F:F1:51:7B:4E:4C:CD:D5:5D:CB:C7:CE:CA:75:C9:CF:D8:73:EB:08:D2:71:1A:48:8E:FC:CD
-----BEGIN CERTIFICATE-----
MIIHFTCCBf2gAwIBAgIQZGafF9rIwqdWMecTQCvgOTANBgkqhkiG9w0BAQsFADCB
ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT
H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy
MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG
A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y
MjAxMTIxMjQzNTBaFw0yMjAzMjIxMjQzNTBaMG0xCzAJBgNVBAYTAlVTMREwDwYD
VQQIEwhOZXcgWW9yazERMA8GA1UEBxMIQmVsbG1vcmUxHDAaBgNVBAoTE1NCQSAg
Q29uc3VsdGluZyBMVEQxGjAYBgNVBAMTEW1jcS5zYmFuZXR3ZWIuY29tMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpoaW8GGUK4hUeeQvIpbRowTdIsN
U9DahAIqRRyI6xo50usgMjd0HqeYbqio+bYwOiKMAxwvc1Bg8w7mvKaBqGsXI1zU
bOkQkvbIMQIh+CPnpmX8Z7A70bzjC7jlEQ2QoqOeYXLklGZW+FgGFzaii0/z+V+l
G+UtG+NcSV4rq2ZpagKL4ICcKMwbldmJPsYUqa9n1XqS4f8SYMNIAc6kzbaStcsu
bHyr0wqnaEOb9U+6cVrmTApdr0qCMqj0/yVYkjqrQri2+1qKrvT96GktDL1tGuef
BaY3kKIHBlt0MmhOBvsw14+uLCwtlqX3zFxDbUYdRHKOeUZJ6IcXpOUccQIDAQAB
o4IDYTCCA10wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU04vZQ7LHBFMI/pT0jlBz
GH+cjOIwHwYDVR0jBBgwFoAUgqJwdN28Uz/Pe9T3zX+nYMYKTL8waAYIKwYBBQUH
AQEEXDBaMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAzBggr
BgEFBQcwAoYnaHR0cDovL2FpYS5lbnRydXN0Lm5ldC9sMWstY2hhaW4yNTYuY2Vy
MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwx
ay5jcmwwcQYDVR0RBGowaIIRbWNxLnNiYW5ldHdlYi5jb22CFXd3dy5tY3Euc2Jh
bmV0d2ViLmNvbYINd3d3LmNpbWF0Lm5ldIIVd3d3LnNiYWNvbnN1bHRpbmcuY29t
ghZ3d3cuYWhlYWRlcXVpcG1lbnQuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTAYDVR0gBEUwQzA3BgpghkgBhvpsCgEF
MCkwJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAIBgZn
gQwBAgIwggF8BgorBgEEAdZ5AgQCBIIBbASCAWgBZgB1AN+lXqtogk8fbK3uuF9O
PlrqzaISpGpejjsSwCBEXCpzAAABfk5Q5HwAAAQDAEYwRAIgFKWUj7OFmelLjXZU
Y3c24OrpomgfudS/1uKDuqKCIyMCIF1Lecz2SGFrHWBrhG2IlIogq6xQ0+J8/V6Q
x3qOy8p1AHYAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAF+TlDk
rwAABAMARzBFAiAKTUI9H3/L3qZUDd6bfGfmLMDa6BJ1sT3Uf6aG1VlfnAIhAOYR
T0Zm9z1qiNI/wytoBOa5WxyBhBtiVke1B9oA6YPzAHUARqVV63X6kSAwtaKJafTz
fREsQXS+/Um4havy/HD+bUcAAAF+TlDkegAABAMARjBEAiB9spsTk2OW6zlTN3xV
CvKjcaczgik9mginjshN0gRHHQIgNX6W9MRJ2csFpHcIiiVJcpPZKUvWBu3yJ4uZ
aucARC8wDQYJKoZIhvcNAQELBQADggEBAMFuvTltc7HNxN3/4DdC40Ul6J4XKIJK
LHjHwt0BcGWobTklFa8vC59sbT8/W4cDnelovJ3sR0E13aBH3B2iLubrby6NXHJV
UtwLJ+ny3/j2q6qEczSvqX7XAE2kHQge7eWspZJqHjsr5jjT5IdktnsMREDW/eRy
0cv5GYR87RPMADayqogyUPEsyxmVfUcxVMeribF7B/MSbUR5F5IP1fLyvizrKDol
e9iPLqsSkFcRygTkxftGD2/UrTI0qKWHLmLRt4ZPjy3jv+V3dXSxP4q/A7Ab11tv
P13u+n2UkF2Kz4QJr4gD7AY4j11d8hS5YAUF27ZyUuDc9KUSBV9w2rc=
-----END CERTIFICATE-----
--
Viktor.
