SSL - More than one intermediate certificate in CSS to support EV SSL

sroylance1 · ‎10-29-2007

Although the documentation for the CSS does indeed cover how to install a single intermediate certificate (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/css11500series/v8.10/configuration/ssl/guide/sslcggde.pdf for example)

, there are now many more instances where 2 intermediates are required. The latest type of SSL certificate (Extended Validation SSL) requires the use of a cross certficate in the chain. As such the CSS does not seem to be able to support this configuration and we've seem cases now of either the CSS being rejected by the hosting provider or the certificate being downgraded by the hosting provider. I'd like to enquire how Cisco plans to support a 4 certifcate hirearchy in the future. As an example pick any EV web site ebay/paypal or banks like abk.be and look at the chain with a current version Opera or a non EV web browser like IE 6.0

tim.pearce · ‎11-06-2007

I came across this in Feb when the new E.V. certs became avaialbe. You need to concatenate the root, intermediate and server certificate into one chained certificate. The existing root certs in the browsers certificate store can authenticate the new root certificate which validates the whole chain including the server cert.

Doing it this way means you can have as many certs in the chain as is required.

guibarati · ‎02-22-2008

Do I contatenaet it for the certificate you use to autenticate the trust point??