Solved

SSL checker internal

Posted on 2016-10-28
4
83 Views
Last Modified: 2016-11-13
I have a website that is accessible only to my internal users. The website is showing as an untrusted certificate error when accessing from one particular 2012 server. This started as a result of the globalsign cert issue recently highlighted in the news.
Is there anything I can download which will tell me if its root issue or intermediate issue. thanks.
0
Comment
Question by:Sid_F
  • 2
  • 2
4 Comments
 
LVL 63

Expert Comment

by:btan
ID: 41864892
May consider Certutil

A tool for administrators who manage the set of trusted root certificates in their enterprise environment. Administrators can view and select the set of trusted root certificates, export them to a serialized certificate store, and distribute them by using Group Policy.
E.g. CertUtil [Options] -syncWithWU DestinationDir
https://technet.microsoft.com/en-us/library/dn265983(v=ws.11).aspx#BKMK_CertUtilOptions

Check the certificate state against CA CRL or chain
E.g CertUtil [Options] -verify CRLFile CACertFile [IssuedCertFile]
Where,
CRLFile: CRL to verify
IssuedCertFile: optional issued certificate covered by CRLFile

https://technet.microsoft.com/en-in/library/cc732443.aspx#BKMK_verify


Another tool is Openssl
If you have the server certificate chain saved in a file, you can provide it to the OpenSSL "verify" command using the "-untrusted" option as shown below:

C:\Users\fyicenter>\local\openssl-win32\bin\openssl.exe

OpenSSL> verify -untrusted twitter_chain.pem twitter.pem
twitter.pem: C = US, O = DigiCert Inc, OU = www.digicert.com,
   CN = DigiCert SHA2 Extended Validation Server CA
error 20 at 1 depth lookup:unable to get local issuer certificate
error in verify

This tells us that the validation failed on locating the certificate of the issuer appeared on the intermediate CA certificate.
http://certificate.fyicenter.com/156_OpenSSL_verify-untrusted_-Specify_Untrusted_Certificate.html
0
 
LVL 6

Author Comment

by:Sid_F
ID: 41875654
Anything a bit easier e.g install software point to site etc : )
0
 
LVL 6

Author Comment

by:Sid_F
ID: 41875660
I managed to resolve the issue and the globalsign issue is resolved by downloading the first cert Domain Validation CA - SHA256 - G2 on the page from here https://support.globalsign.com/customer/portal/articles/1464460-domainssl-intermediate-certificates
0
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 41875803
Thanks for sharing.
You can try globalsign checker which is using ssllabs if your website is reachable. May be good to have a staging with replicate (with dummy data) to verify the ssl otherwise suggest use the offline tools for checking.
https://support.globalsign.com/customer/portal/articles/1217298-ssl-configuration-checker---overview
0

Featured Post

Free Tool: Postgres Monitoring System

A PHP and Perl based system to collect and display usage statistics from PostgreSQL databases.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

We've all had that page pop up telling us there is a problem with the certificate and some of us continue on anyways and others run away to a safer competing site.  But what to do when you get the error - is it your problem or theirs?  What can you …
#SSL #TLS #Citrix #HTTPS #PKI #Compliance #Certificate #Encryption #StoreFront #Web Interface #Citrix XenApp
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question