Reputation: 724
Why is it needed to install intermediate CA
Recently, I tried accessing an HTTPS website through java. I encountered an error about the SSL saying that
unable to find valid certification path to requested target
I tried checking my trust store and the root certificate and the intermediate CA which is signed by the root CA is also installed. The only thing not there is another intermediate CA which is the one used to sign the website's certificate.
I tried installing the intermediate CA and made the stuff work. I am wondering, why is it necessary to install the intermediate CA? Doesn't it somehow acquire that from somewhere without installing it to my trust store?
Upvotes: 12
Views: 15825
Answers (3)
Reputation: 430
The Intermediate certificate is the immediate signatory of the server certificate. So in order to create trust chain, the client verifies the certificate uptil its root certificate which is self signed.
If the server does not send the intermediate certificates along with the main domain certificate, the browsers will start throwing error stating "Certificate Authority Invalid" because it was expecting the intermediate certificate who has signed the domain certificate but got just the domain certificate.
Upvotes: 2
Reputation: 159155
Why is it necessary to install the intermediate CA?
Because the HTTPS web server is misconfigured.
It is supposed to send the certificate chain, up to but excluding the root certificate.
Whoever configured the web server didn't do that, so if you don't have the chain installed locally, there is a missing link in the chain.
The correct solution is for the web server administrator to correctly configure the server. The workaround is what you've done, i.e. install the missing intermediate certificates locally, so Java can verify the full chain.
Upvotes: 20
Reputation: 384
The intermediate certificate is one (or more) between the one in your trust store and the one published on the server. The CA you obtained your SSL certificate from should have provided this for you (usually a 'cabundle' file). This needs to be installed on the server.
For Apache you need to specify the SSLCertificateChainFile in older versions, or in 2.4 and later append the contents of the cabundle file to the certificate file.
For Nginx you neeed to append the contents of the cabundle file to the certificate file.
For SSL to validate it needs the entire chain of trust to be valid, for example
Root CA (in your browser) -> Intermediate Certificates (if any) -> Your certificate
If the intermediate certs are missing the client can not verify the certificate is valid.
Upvotes: 4
Related Questions
- Java, Certificates in trustStores
- Understanding the SSL Trust Strategy
- Does a TLS client needs to have intermediate CA in the trust store?
- TLS where to put certificates
- Certificate unknown error -- Is trustStore used by Java
- Adding certificate to Java truststore and Sslhandshake
- Why does java have both the cacerts and jssecacerts files?
- SSL intermediate certificates
- Intermediate CA certificate in Java keystore
- Does a truststore need the sub-ca certificate?