Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How does the browser deal with missing intermediate certs

Tags:

curl

ssl

I've come across the site https://alpower.com, this site is only providing its own site certificate. Because of this I can't access the site properly with cURL as the cacerts used are only root certsificates.

The site is accessible in Firefox however. How exactly is Firefox able to verify the site's identity where as cURL isn't?

like image 751
Jonny Barnes Avatar asked Oct 20 '25 04:10

Jonny Barnes


2 Answers

Browsers will cache intermediate certificates. So if the missing certificate was already provided by another site the browser will have it already and will use it. But, if you use a fresh browser profile you might get the same problems as you get with curl, because the intermediate certificate is not cached.

This is at least how it works with Firefox. Other browsers might look into the Authority Information Access section of the certificate and if they find the URL issuer certificate they will download the certificate to continue with the chain verification.

like image 148
Steffen Ullrich Avatar answered Oct 22 '25 21:10

Steffen Ullrich


Most browsers are using the AIA information embedded in the certificate (see comment on browsers exceptions).

To expose the URL of the CA Issuer with openssl:

openssl x509 -in "YOUR_CERT.pem" -noout -text

There is a section Authority Information Access with CA Issuers - URI which would be the "parent" certificate (intermediate or root certificate).

This can be reproduced up to the root CA.


In a gist:

ssl_endpoint=<ENDPOINT:443>

# first, get the endpoint cert
echo | openssl s_client -showcerts -connect $ssl_endpoint 2>/dev/null | openssl x509 -outform PEM > endpoint.cert.pem

# then extract the intermediate cert URI
intermediate_cert_uri=$(openssl x509 -in endpoint.cert.pem -noout -text | (grep 'CA Issuers - URI:' | cut -d':' -f2-))

# and get the intermediate cert (convert it from DER to PEM)
curl -s "${intermediate_cert_uri}" | openssl x509 -outform PEM -inform DER > intermediate.cert.pem
like image 32
jobwat Avatar answered Oct 22 '25 22:10

jobwat