Reputation: 2922
Why does SSLLabs say my certificate is fine when my CA's cert is expired?
I did a scan of my domain using ssllabs.com, and this is what it says:
From what I can tell, one of my CAs is USERTrust RSA Certification Authority, and their certificate is expired, which SSLLabs flagged red, but it still says that there are no chain issues, and no browsers complain about talking to my domain.
I did the check after curl was complaining about an expired cert when talking to my domain, which may or may not be related.
What's going on here? How can an expired CA certificate not be a problem?
Upvotes: 0
Views: 247
Answers (1)
Reputation: 123375
The expired certificate is actually not used for validation. It is unnecessarily send by your server, i.e. you could remove it from the certificate chain you send since modern system have a trusted CA builtin which effectively replaces this expired intermediate CA. For more details see for example USERTrust Intermediate Expiration in 2020. To cite:
This is an old intermediate certificate and modern operating systems have a new version available and won't be affected. ... Based on what we know, equipment released or receiving security updates after June 2010 will most likely not be affected. ...
Upvotes: 2
Related Questions
- Make OpenSSL accept expired certificates
- SSL certificate problem: certificate has expire in macOS
- SSL Certificate expires while connected
- Openssl telling certificate has expired when it has not
- Why do I get a SSL Expired error for certificates that are still valid?
- Expired SSL Certificate and Encryption
- SSL Certificate error : Invalid CA
- SSL certificate expired the same day of creation
- Why do my browsers say my server's SSL certificate has expired but OpenSSL says it hasn't?
- Renewal expired SSL certificate not being loaded Nginx