[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Intermediate Certificates

Posted on 2011-03-01
3
Medium Priority
?
745 Views
Last Modified: 2012-05-11
2 years back, I have been provided with .cer (SSL Certificate )and .pfx( Digital Signing Certificate) file by the vendor to connect to an Webservice .

While coding in VC++ I used ".pk8" or "".pem"for the testing after converting the cer using openSSL and was able to make connection in dev and production.

Now after 2 years, I have got an "Intermediate Certificate" from the vendor. I wanted to know since we have never installed certificates in production server browser as the process calls the private and public keys from the files stored locally , extracted from root certificates and those  certificates were not installed on the server browser, so I really need "Intermediate Certificates"?
 I am able to connect to in development without the use of intermediate certificates. am I missing anything?

0
Comment
Question by:rbhargaw
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 33

Accepted Solution

by:
Dave Howe earned 2000 total points
ID: 35009658
This is actually an interesting question.

historically, it was down to the server to deliver not only the end use certificate but also any intermediate certificates needed to complete the certification chain.

More recently though, modern certificates seem to *assume* that an intermediate certificate will be required, and provide, not that certificate, but a reference within the end use certificate to where the intermediate certificate can be found. It is then down to the relying client to obtain the intermediate certificate from the URI supplied, using the embedded reference.

Not all old browsers support this however, so you may see cases where an older browser (or ssl library) refuses a valid certificate because the intermediate was not supplied and it does not respect the embedded URI that could be used to obtain it.  In such cases, you can obtain and import the certificate manually to complete the authentication (this is painful, but from a security point of view it might be better than trusting not only every root ca in your store, but a potentially unlimited number of intermediates; sadly they could still achieve validity even in such older browsers by supplying the intermediate in the ssl handshake)
0
 

Author Comment

by:rbhargaw
ID: 35011503
Thanks Dave! So do think I ask the support team to just install the certificates?
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 35012175
depends on the server. normally though, the process from a commercial CA is that you generate a local CSR file, which you upload to the CA; you get back from that a CER file (actually a DER or PEM encoded certificate) which you then import into the system that generated the CSR, and it combines it (internally) with the secret key to form a pair.

That can then be exported as a pkcs #12 (p12 or pfx) file, but usually isn't (other than for backup purposes) as usually the system generating the CSR is also the server that will be using it.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This tutorial will show you how to add an attribute to an XML (http://en.wikipedia.org/wiki/XML) stream returned from a Windows Communication Foundation (http://en.wikipedia.org/wiki/Windows_Communication_Foundation) (WCF) Web Service.  Some knowled…
Microservice architecture adoption brings many advantages, but can add intricacy. Selecting the right orchestration tool is most important for business specific needs.
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Please read the paragraph below before following the instructions in the video — there are important caveats in the paragraph that I did not mention in the video. If your PaperPort 12 or PaperPort 14 is failing to start, or crashing, or hanging, …

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question