[openssl-users] CA design question?

Sat, 05 Dec 2015 10:56:21 -0800 

Hello,
my website has an official SSL certificate, which I renewed this year to have a SHA-256 certificate; 
when I test my site with SSLLabs.com, I'm shows two certificate paths:

the first one:
my SSL cert (SHA-256) sent by server (SHA1 Fingerprint: 0fae9fd23852fb834fe4f32d7d3c73714daa6aa9) the intermediate (SHA-256) sent by server (SHA1 Fingerprint: 064969b7f4d6a74fd098be59d379fae429a906fb) the self-signed (SHA-256) in trust store (SHA1 Fingerprint: a3f1333fe242bfcfc5d14e8f394298406810d1a0) 

the second one:
my SSL cert (SHA-256) sent by server (SHA1 Fingerprint: 0fae9fd23852fb834fe4f32d7d3c73714daa6aa9) the intermediate (SHA-256) sent by server (SHA1 Fingerprint: 064969b7f4d6a74fd098be59d379fae429a906fb) the self-signed (SHA-1) in trust store (SHA1 Fingerprint: 3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f)
before I renewed the SSL certificate, my server sent a intermediate with SHA-1, I just exchanged this intermediate certificate with a SHA-256 cert. exchange the intermediate cert to one with SHA-256, with this I had this situation: 

before exchange intermediate, path one:
my SSL cert (SHA-1) sent by server (SHA1 Fingerprint: ...)
the intermediate (SHA-1) sent by server (SHA1 Fingerprint: ...)
the self-signed (SHA-256) in trust store (SHA1 Fingerprint: a3f1333fe242bfcfc5d14e8f394298406810d1a0) 

before exchange intermediate, path two:
my SSL cert (SHA-1) sent by server (SHA1 Fingerprint: ...)
the intermediate (SHA-1) sent by server (SHA1 Fingerprint: ...)
the self-signed (SHA-1) in trust store (SHA1 Fingerprint: 3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f) 

after exchange intermediate, path one:
my SSL cert (SHA-1) sent by server (SHA1 Fingerprint: ...)
the intermediate (SHA-256) sent by server (SHA1 Fingerprint: 064969b7f4d6a74fd098be59d379fae429a906fb) the self-signed (SHA-256) in trust store (SHA1 Fingerprint: a3f1333fe242bfcfc5d14e8f394298406810d1a0) 

after exchange intermediate, path two:
my SSL cert (SHA-1) sent by server (SHA1 Fingerprint: ...)
the intermediate (SHA-256) sent by server (SHA1 Fingerprint: 064969b7f4d6a74fd098be59d379fae429a906fb) the self-signed (SHA-1) in trust store (SHA1 Fingerprint: 3e2bf7f2031b96f38ce6c4d8a85d3e2d58476a0f)
now my question how would it be possible to generate a SSL certificate that can be used with two different certificate paths? 

Thanks,
Walter

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Reply via email to