我有一个 RapidSSL 证书,说明要求我在我的链中包含:RapidSSL SHA256 CA - G3、GeoTrust Global CA 根和 Equifax Secure Certification Authority 根。
但是,这会在 SSLLabs.com (SHA1withRSA - 弱签名) 中使用 GeoTrust 和 Equifax 根证书产生各种警告。我还看到警告“中间证书的签名很弱。尽快升级到 SHA2 以避免浏览器警告”。
现在,如果我从我的链中删除 GeoTrust 和 Equifax 证书(并且只拥有我的证书 + RapidSSL SHA256 CA - G3),它会修复所有这些警告,一切看起来都很好。
它还会显示“GeoTrust Global CA”证书,并以绿色显示“在信任存储中”消息。
如果我的链中缺少 GeoTrust 和 Equifax 证书,是否会遇到 SSL 问题?
SSL Labs 输出(我的证书 + RapidSSL SHA256 CA - G3):
Additional Certificates (if supplied)
Certificates provided 2 (2279 bytes)
Chain issues None
#2
Subject RapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
Valid until Fri, 20 May 2022 21:39:32 UTC (expires in 6 years and 9 months)
Key RSA 2048 bits (e 65537)
Issuer GeoTrust Global CA
Signature algorithm SHA256withRSA
Certification Paths
Path #1: Trusted
1 Sent by server www.example.com
Fingerprint: fbea1fc476bcee2eae7a1001e4a37bf560d0c013
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server RapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
RSA 2048 bits (e 65537) / SHA256withRSA
3 In trust store GeoTrust Global CA Self-signed
Fingerprint: de28f4a4ffe5b92fa3c503d1a349a7f9962a8212
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
答案1
这似乎是 CA 已完成交叉签名的情况。
有两个以您的证书结尾的链:
链 1:
Path #1: Trusted
1 Sent by server www.example.com
Fingerprint: fbea1fc476bcee2eae7a1001e4a37bf560d0c013
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server RapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
RSA 2048 bits (e 65537) / SHA256withRSA
3 In trust store GeoTrust Global CA Self-signed
Fingerprint: de28f4a4ffe5b92fa3c503d1a349a7f9962a8212
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
链 2:
Path #2: Trusted
1 Sent by server www.example.com
Fingerprint: fbea1fc476bcee2eae7a1001e4a37bf560d0c013
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server RapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
RSA 2048 bits (e 65537) / SHA256withRSA
3 Sent by server GeoTrust Global CA
Fingerprint: 7359755c6df9a0abc3060bce369564c8ec4542a3
RSA 2048 bits (e 65537) / SHA1withRSA
WEAK SIGNATURE
4 In trust store Equifax / Equifax Secure Certificate Authority Self-signed
Fingerprint: d23209ad23d314232174e40d7f9d62139786633a
RSA 1024 bits (e 65537) / SHA1withRSA
WEAK KEY IN MOZILLA'S TRUST STORE MORE INFO »
Weak or insecure signature, but no impact on root certificate
(来自 SSL Labs 报告输出)
实际上,当首次推出 GeoTrust CA 证书时,“链 1”是主要选项,“链 2”可能才是人们感兴趣的,而且并不是每个人的de28f4a4ffe5b92fa3c503d1a349a7f9962a8212
列表中都有 GeoTrust 证书 ( ),而他们可能都有 Equifax 证书 ( d23209ad23d314232174e40d7f9d62139786633a
)。
从技术上讲,这两条链仍然有效,但从 Equifax 根证书开始的那条链已经过时了。它有一个 1024 位根证书(现在被认为是弱证书),第一个中间证书是 SHA1 签名的(现在被认为是弱证书)。
我想说,在这种情况下,为“链 2”提供中间证书可能没有什么意义。
如果您需要确认,想知道为什么他们仍要求您为“链 2”提供证书,或者想知道不这样做可能存在哪些兼容性问题,我建议您咨询您的 CA。