On Wed, Jan 19, 2022 at 01:09:09PM -0500, Wayne Spivak wrote: > This from SSL Labs states "self-signed":
Their report is misleading. > 1 Sent by server mcq.sbanetweb.com > Fingerprint SHA256: > 1b48d54fd173fa980ca0ba8e2bbb5aabce3bbb9faf67bae4f375816155699efe > Pin SHA256: D9BrKzFpjkpGhv91bgkZqQIWlqPNIHPHmIhYYwDChGY= > RSA 2048 bits (e 65537) / SHA256withRSA The actual certificate list returned consists of just the server certificate, and is missing the intermediate issuer(s). See below. > If it is an Intermediate, I refer to my orginal email, "where am I going > wrong". Your certificate file contains only the server certificate, it should, after the server certificate, which must be listed first, also contain the certificates of any intermediate or cross certificates needed to complete the chain to a trusted root CA. You're missing at least the certificate of the intermediate issuer CA with a "CommonName" of "Entrust Certification Authority - L1K": $ posttls-finger -cC -lsecure '[mcq.sbanetweb.com]' posttls-finger: certificate verification failed for mcq.sbanetweb.com[96.224.250.24]:25: untrusted issuer /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K posttls-finger: mcq.sbanetweb.com[96.224.250.24]:25: subject_CN=mcq.sbanetweb.com, issuer_CN=Entrust Certification Authority - L1K, fingerprint=1E:69:25:44:74:52:B4:C5:AA:C4:9F:7C:E8:F7:0B:96:A7:35:A9:F6:60:1F:D4:07:30:CD:B3:6B:99:69:88:EC, pkey_fingerprint=89:F7:3F:9B:2F:6F:F1:51:7B:4E:4C:CD:D5:5D:CB:C7:CE:CA:75:C9:CF:D8:73:EB:08:D2:71:1A:48:8E:FC:CD posttls-finger: Untrusted TLS connection established to mcq.sbanetweb.com[96.224.250.24]:25: TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256 --- Certificate chain 0 subject: /C=US/ST=New York/L=Bellmore/O=SBA Consulting LTD/CN=mcq.sbanetweb.com issuer: /C=US/O=Entrust, Inc./OU=See www.entrust.net/legal-terms/OU=(c) 2012 Entrust, Inc. - for authorized use only/CN=Entrust Certification Authority - L1K cert digest=1E:69:25:44:74:52:B4:C5:AA:C4:9F:7C:E8:F7:0B:96:A7:35:A9:F6:60:1F:D4:07:30:CD:B3:6B:99:69:88:EC pkey digest=89:F7:3F:9B:2F:6F:F1:51:7B:4E:4C:CD:D5:5D:CB:C7:CE:CA:75:C9:CF:D8:73:EB:08:D2:71:1A:48:8E:FC:CD -----BEGIN CERTIFICATE----- MIIHFTCCBf2gAwIBAgIQZGafF9rIwqdWMecTQCvgOTANBgkqhkiG9w0BAQsFADCB ujELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUVudHJ1c3QsIEluYy4xKDAmBgNVBAsT H1NlZSB3d3cuZW50cnVzdC5uZXQvbGVnYWwtdGVybXMxOTA3BgNVBAsTMChjKSAy MDEyIEVudHJ1c3QsIEluYy4gLSBmb3IgYXV0aG9yaXplZCB1c2Ugb25seTEuMCwG A1UEAxMlRW50cnVzdCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEwxSzAeFw0y MjAxMTIxMjQzNTBaFw0yMjAzMjIxMjQzNTBaMG0xCzAJBgNVBAYTAlVTMREwDwYD VQQIEwhOZXcgWW9yazERMA8GA1UEBxMIQmVsbG1vcmUxHDAaBgNVBAoTE1NCQSAg Q29uc3VsdGluZyBMVEQxGjAYBgNVBAMTEW1jcS5zYmFuZXR3ZWIuY29tMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwpoaW8GGUK4hUeeQvIpbRowTdIsN U9DahAIqRRyI6xo50usgMjd0HqeYbqio+bYwOiKMAxwvc1Bg8w7mvKaBqGsXI1zU bOkQkvbIMQIh+CPnpmX8Z7A70bzjC7jlEQ2QoqOeYXLklGZW+FgGFzaii0/z+V+l G+UtG+NcSV4rq2ZpagKL4ICcKMwbldmJPsYUqa9n1XqS4f8SYMNIAc6kzbaStcsu bHyr0wqnaEOb9U+6cVrmTApdr0qCMqj0/yVYkjqrQri2+1qKrvT96GktDL1tGuef BaY3kKIHBlt0MmhOBvsw14+uLCwtlqX3zFxDbUYdRHKOeUZJ6IcXpOUccQIDAQAB o4IDYTCCA10wDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU04vZQ7LHBFMI/pT0jlBz GH+cjOIwHwYDVR0jBBgwFoAUgqJwdN28Uz/Pe9T3zX+nYMYKTL8waAYIKwYBBQUH AQEEXDBaMCMGCCsGAQUFBzABhhdodHRwOi8vb2NzcC5lbnRydXN0Lm5ldDAzBggr BgEFBQcwAoYnaHR0cDovL2FpYS5lbnRydXN0Lm5ldC9sMWstY2hhaW4yNTYuY2Vy MDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwuZW50cnVzdC5uZXQvbGV2ZWwx ay5jcmwwcQYDVR0RBGowaIIRbWNxLnNiYW5ldHdlYi5jb22CFXd3dy5tY3Euc2Jh bmV0d2ViLmNvbYINd3d3LmNpbWF0Lm5ldIIVd3d3LnNiYWNvbnN1bHRpbmcuY29t ghZ3d3cuYWhlYWRlcXVpcG1lbnQuY29tMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUE FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwTAYDVR0gBEUwQzA3BgpghkgBhvpsCgEF MCkwJwYIKwYBBQUHAgEWG2h0dHBzOi8vd3d3LmVudHJ1c3QubmV0L3JwYTAIBgZn gQwBAgIwggF8BgorBgEEAdZ5AgQCBIIBbASCAWgBZgB1AN+lXqtogk8fbK3uuF9O PlrqzaISpGpejjsSwCBEXCpzAAABfk5Q5HwAAAQDAEYwRAIgFKWUj7OFmelLjXZU Y3c24OrpomgfudS/1uKDuqKCIyMCIF1Lecz2SGFrHWBrhG2IlIogq6xQ0+J8/V6Q x3qOy8p1AHYAVYHUwhaQNgFK6gubVzxT8MDkOHhwJQgXL6OqHQcT0wwAAAF+TlDk rwAABAMARzBFAiAKTUI9H3/L3qZUDd6bfGfmLMDa6BJ1sT3Uf6aG1VlfnAIhAOYR T0Zm9z1qiNI/wytoBOa5WxyBhBtiVke1B9oA6YPzAHUARqVV63X6kSAwtaKJafTz fREsQXS+/Um4havy/HD+bUcAAAF+TlDkegAABAMARjBEAiB9spsTk2OW6zlTN3xV CvKjcaczgik9mginjshN0gRHHQIgNX6W9MRJ2csFpHcIiiVJcpPZKUvWBu3yJ4uZ aucARC8wDQYJKoZIhvcNAQELBQADggEBAMFuvTltc7HNxN3/4DdC40Ul6J4XKIJK LHjHwt0BcGWobTklFa8vC59sbT8/W4cDnelovJ3sR0E13aBH3B2iLubrby6NXHJV UtwLJ+ny3/j2q6qEczSvqX7XAE2kHQge7eWspZJqHjsr5jjT5IdktnsMREDW/eRy 0cv5GYR87RPMADayqogyUPEsyxmVfUcxVMeribF7B/MSbUR5F5IP1fLyvizrKDol e9iPLqsSkFcRygTkxftGD2/UrTI0qKWHLmLRt4ZPjy3jv+V3dXSxP4q/A7Ab11tv P13u+n2UkF2Kz4QJr4gD7AY4j11d8hS5YAUF27ZyUuDc9KUSBV9w2rc= -----END CERTIFICATE----- -- Viktor.