AnsweredAssumed Answered

Trust-Store and Chain/Intermediate certificates

Question asked by StefanKlotz on Feb 6, 2018
Latest reply on Mar 5, 2018 by StefanKlotz

Hi there,

who can explain, how the certificate trust process is working?

Background is the following issue:

We have some APIs with backend/provider in the cloud (e.g. Azure). They are using the following server certificate "*.azurewebsites.net". We installed the intermediate and root certificate in the trust-store of the gateway, both with the option "Signing Certificates for Outbound SSL Connections", but only the root certificate with the "Certificate is a Trust Anchor" option enabled.

During last weekend Microsoft changed the server certificate and also its issuer. Only the root certificate is the same. Due to the different intermediate certificate, the gateway was not able anymore to trust these SSL connections. Although the intermediate and root certificate will be provided from the server during SSL handshake, we had to install the new intermediate certificate first to get it working again.

I was expecting, that in such case the root certificate should be sufficient to be available in the gateways trust-store.

Is this behavior really correct or do we miss some settings?

As Microsoft will not inform the customers about such certificate changes, this will always cause an impact due to missing certificate trust on the gateway as we are not aware of all potential intermediate certificates.

Is there any way to avoid this?

I mean, if the intermediate and root certificates will not be provided from the server during SSL handshake, then this behavior would be ok for us, but as long as the chain is available, the root certificate should be sufficient.

Thanks for your help!

 

Ciao Stefan

Outcomes