[openssl-users] CA design question?

Walter H. Walter.H at mathemainzel.info
Sat Dec 5 18:55:50 UTC 2015 

Hello,

my website has an official SSL certificate, which I renewed this year to 
have a SHA-256 certificate;
when I test my site with SSLLabs.com, I'm shows two certificate paths:

the first one:
my SSL cert (SHA-256) sent by server (SHA1 Fingerprint: 
0fae9fd23852fb834fe4f32d7d3c73714daa6aa9)
the intermediate (SHA-256) sent by server (SHA1 Fingerprint: 
064969b7f4d6a74fd098be59d379fae429a906fb)
the self-signed (SHA-256) in trust store (SHA1 Fingerprint: 
a3f1333fe242bfcfc5d14e8f394298406810d1a0)

the second one:
my SSL cert (SHA-256) sent by server (SHA1 Fingerprint: 
0fae9fd23852fb834fe4f32d7d3c73714daa6aa9)
the intermediate (SHA-256) sent by server (SHA1 Fingerprint: 
064969b7f4d6a74fd098be59d379fae429a906fb)
the self-signed (SHA-1) in trust store (SHA1 Fingerprint: 
3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f)

before I renewed the SSL certificate, my server sent a intermediate with 
SHA-1, I just exchanged this intermediate certificate with a SHA-256 cert.
exchange the intermediate cert to one with SHA-256, with this I had this 
situation:

before exchange intermediate, path one:
my SSL cert (SHA-1) sent by server (SHA1 Fingerprint: ...)
the intermediate (SHA-1) sent by server (SHA1 Fingerprint: ...)
the self-signed (SHA-256) in trust store (SHA1 Fingerprint: 
a3f1333fe242bfcfc5d14e8f394298406810d1a0)

before exchange intermediate, path two:
my SSL cert (SHA-1) sent by server (SHA1 Fingerprint: ...)
the intermediate (SHA-1) sent by server (SHA1 Fingerprint: ...)
the self-signed (SHA-1) in trust store (SHA1 Fingerprint: 
3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f)

after exchange intermediate, path one:
my SSL cert (SHA-1) sent by server (SHA1 Fingerprint: ...)
the intermediate (SHA-256) sent by server (SHA1 Fingerprint: 
064969b7f4d6a74fd098be59d379fae429a906fb)
the self-signed (SHA-256) in trust store (SHA1 Fingerprint: 
a3f1333fe242bfcfc5d14e8f394298406810d1a0)

after exchange intermediate, path two:
my SSL cert (SHA-1) sent by server (SHA1 Fingerprint: ...)
the intermediate (SHA-256) sent by server (SHA1 Fingerprint: 
064969b7f4d6a74fd098be59d379fae429a906fb)
the self-signed (SHA-1) in trust store (SHA1 Fingerprint: 
3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f)

now my question how would it be possible to generate a SSL certificate 
that can be used with two different certificate paths?

Thanks,
Walter


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4312 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20151205/d1302dc9/attachment.bin>

More information about the openssl-users mailing list