|
![]() |
import pfx file and intermediate certificates |
Vincent Blanc 2018-02-20 16:59:23 Registered user |
Hello,
Regarding the import of certificates with the ImportFromPFX function. I am not sure that the intermediate certificate is imported correctly. When I test my site (https://www.sslshopper.com/ssl-checker.html#hostname=test.ecole7.ch), I get a message: "The certificate is not trusted in all web browsers. You may need to install an Intermediate / chain certificate to link to a trusted root certificate. Learn more about this error. The fastest way to this problem is to contact your SSL provider." I specify that my .pfx file contains an intermediate certificate. I said that the site is still recognized correctly by most browsers. Thank you in advance for your assistance Vincent Blanc |
Henrick Wibell Hellström 2018-02-20 21:38:45 Registered user |
Correct. In ST 4.0 you use the property TsmSimpleTLSInternalServer.LocalExplicitTrustByDefault = True to ensure all certificates in the PFX are loaded. You should combine this with TsmSimpleTLSInternalServer.IncludeRootInTLSChain = False in case the root certificate is also present in the PFX, and there are Mozilla clients (Firefox/Thunderbird) connecting to your server.
In ST 2.3 the easiest solution is to load the intermediate certificates separately, using the method TSimpleTLSInternalServer.LoadRootCertificatesFromFile. Previously, the recommended solution was to load the (actual) root certificate, prior to importing the PFX, but that is no longer an optimal solution, due to the short cuts in the Mozilla implementation. The reason ST 2.3 works this way, was because the SSL/TLS solution was originally designed for applications where the clients authenticated themselves to the server using SSL/TLS client authentication. The ST 2.3 will by default use any loaded CA certificate as an acceptable CA for client certificate issuance, which might be undesirable in situations where the server certificate and the client certificates belong to strictly separated chains. |
Vincent Blanc 2018-02-21 17:23:58 Registered user |
Thank you for this information, everything is ok now.
Just a note on ST 2.3 (bug?): The LoadRootCertsFromFile function can not read the .crt format, but reads the .cer format correctly In the source you do not make the difference between the two formats (TlsInternalServer.pas line 1950): if (Ext = '.cer') or (Ext = '.crt') then begin It's not too bad, just use the .cer format only |
Henrick Wibell Hellström 2018-02-21 17:38:08 Registered user |
Yes, unfortunately that code is not really up to date with contemporary conventions, but technically, '.crt' just means certificate, just like '.cer' does. There has been Microsoft software that used '*.crt;*.cer;*.der' for binary DER certificates, as well as some other software that used '*.cer;*.crt;*.pem' for PEM encoded certificates.
|