25 Sep 2024 03:18 PM
We are using the certificate extension to monitor certificates and we had an intermediate cert expire when the main cert was still valid. We were not monitoring that specific cert stack, but there isn't any info in the doc on monitoring the whole cert stack, or just the configured main cert. Does anyone have experience with this extension to provide some insight?
thanks
Solved! Go to Solution.
26 Sep 2024 07:30 AM - edited 26 Sep 2024 07:31 AM
I believe, this is not extension specific and it depends on the configuration of your application / webservers where you are checking SSL certs. If they expose the full chain including intermediate certificates (which is the right way but sometimes I see webserver incorrectly configured), then anyone can validate the SSL certs just using the root certificate. This is how certificate validation is supposed to work.
So if a web server SSL cert has chain RootCA -> IntermediateCA -> Webserver cert and the web server does not provide full chain, you cannot validate the webserver cert with just RootCA and Intermediate CA must be included too.
For example you can check it with openssl command and it shows you the chain:
$ echo "" | openssl s_client -connect dynatrace.com:443 -showcerts
CONNECTED(00000003)
depth=2 C = US, O = Amazon, CN = Amazon Root CA 1
verify return:1
depth=1 C = US, O = Amazon, CN = Amazon RSA 2048 M03
verify return:1
depth=0 CN = dynatrace.com
verify return:1
---
Certificate chain
0 s:CN = dynatrace.com
i:C = US, O = Amazon, CN = Amazon RSA 2048 M03
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Nov 27 00:00:00 2023 GMT; NotAfter: Dec 25 23:59:59 2024 GMT
-----BEGIN CERTIFICATE-----
MIIK7TCCCdWgAwIBAgIQCfIpyIJt4XyO4Z5/AmZ2ZDANBgkqhkiG9w0BAQsFADA8
MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRwwGgYDVQQDExNBbWF6b24g
UlNBIDIwNDggTTAzMB4XDTIzMTEyNzAwMDAwMFoXDTI0MTIyNTIzNTk1OVowGDEW
MBQGA1UEAxMNZHluYXRyYWNlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC
AQoCggEBAKe008ooNHIxdlMzCpWnhp+BPmKp/9ey/c11BAaNv4GUlFX9ozXNop/v
xwS6hJg6e9QxCWlHX9fV0zBheinjtQcKt339KvqMUmK4dEHoDSe1TXwPOvqO4Bnr
/l0v4rt6QW41I4a++gvrMhlXQB9+6+VOz9djImI63KMHHk3hrGuLxWw3SODizIr8
uIXCPwUgUEjdMkhvrvD6jLCd6GJWrfVSzZ2HdiHUVTESauHylZOF8o/yriPVlj+X
kkXun2TZgRwh8YLjMwqbc+WfJnEDF8Ul3H3txHOdP8rbHfit+nxF+Vh2s6stvRek
bwv/gqlJd9GSOxklA1rljw7VipzKQu0CAwEAAaOCCA0wgggJMB8GA1UdIwQYMBaA
FFXZGF/SHMwB4Vi0vqvZVUIB1y4CMB0GA1UdDgQWBBSf0qGIMp4Edufxph9PUq3w
7k4iRzCCBT8GA1UdEQSCBTYwggUygg1keW5hdHJhY2UuY29tgg9keW5hdHJhY2Uu
Y28uemGCEHd3dy5keW5hdHJhY2Uuc2uCDGR5bmF0cmFjZS5jaIIQd3d3LmR5bmF0
cmFjZS5jYYIMZHluYXRyYWNlLmtyghBkeW5hdHJhY2UudXMuY29tghN3d3cuZHlu
YXRyYWNlLmNvLnphgg9keW5hdHJhY2UuY28uaWyCDGR5bmF0cmFjZS5jboIQd3d3
LmR5bmF0cmFjZS5jaIIQd3d3LmR5bmF0cmFjZS5rcoIQd3d3LmR5bmF0cmFjZS5j
boIMZHluYXRyYWNlLnNlggxkeW5hdHJhY2Uuc2eCDGR5bmF0cmFjZS5za4IWd2Vi
LXByb2QuZHluYXRyYWNlLmNvbYIPZHluYXRyYWNlLmNvLnVrggxkeW5hdHJhY2Uu
Y2GCEHd3dy5keW5hdHJhY2UuY3qCDGR5bmF0cmFjZS5ub4IMZHluYXRyYWNlLmZp
ghBkeW5hdHJhY2UuY29tLmF1ghB3d3cuZHluYXRyYWNlLnJvggxkeW5hdHJhY2Uu
YmeCDGR5bmF0cmFjZS5qcIIQd3d3LmR5bmF0cmFjZS5ub4IUd3d3LmR5bmF0cmFj
ZS5jb20udHKCEHd3dy5keW5hdHJhY2UuZmmCDGR5bmF0cmFjZS5ueoIQd3d3LmR5
bmF0cmFjZS5iZ4IMZHluYXRyYWNlLmZyghB3d3cuZHluYXRyYWNlLmpwggxkeW5h
dHJhY2UuYXSCEHd3dy5keW5hdHJhY2UuZnKCEHd3dy5keW5hdHJhY2UubnqCE3d3
dy5keW5hdHJhY2UuY28uaWyCFHd3dy5keW5hdHJhY2UudXMuY29tghN3d3cuZHlu
YXRyYWNlLmNvLnVrghB3d3cuZHluYXRyYWNlLnNlghB3d3cuZHluYXRyYWNlLnNn
ggxkeW5hdHJhY2Uucm+CDGR5bmF0cmFjZS5hZYIQd3d3LmR5bmF0cmFjZS51c4IM
ZHluYXRyYWNlLmlvggxkeW5hdHJhY2UuaXSCDGR5bmF0cmFjZS5teIIQd3d3LmR5
bmF0cmFjZS5hZYIRd3d3LmR5bmF0cmFjZS5jb22CEHd3dy5keW5hdHJhY2UuaW+C
DGR5bmF0cmFjZS5lc4IQd3d3LmR5bmF0cmFjZS5pdIIQd3d3LmR5bmF0cmFjZS5t
eIIQd3d3LmR5bmF0cmFjZS5lc4IQd3d3LmR5bmF0cmFjZS5hdIIMZHluYXRyYWNl
LnVzggxkeW5hdHJhY2UuZGWCDGR5bmF0cmFjZS50doIQd3d3LmR5bmF0cmFjZS5w
bIIMZHluYXRyYWNlLnR3ggxkeW5hdHJhY2UucHSCD2R5bmF0cmFjZS5jby5ueoIM
ZHluYXRyYWNlLmRrghN3d3cuZHluYXRyYWNlLmNvLmpwghB3d3cuZHluYXRyYWNl
LmRlgg1keW5hdHJhY2UubGxjggxkeW5hdHJhY2UubHWCEGR5bmF0cmFjZS5jb20u
dHKCEHd3dy5keW5hdHJhY2UudHaCEHd3dy5keW5hdHJhY2UudHeCEHd3dy5keW5h
dHJhY2UucHSCE3d3dy5keW5hdHJhY2UuY28ubnqCEXd3dy5keW5hdHJhY2UubGxj
ghB3d3cuZHluYXRyYWNlLmRrgg9keW5hdHJhY2UuY28uanCCEHd3dy5keW5hdHJh
Y2UubHWCFHd3dy5keW5hdHJhY2UuY29tLmF1ggxkeW5hdHJhY2UuY3qCDGR5bmF0
cmFjZS5wbDATBgNVHSAEDDAKMAgGBmeBDAECATAOBgNVHQ8BAf8EBAMCBaAwHQYD
VR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMDsGA1UdHwQ0MDIwMKAuoCyGKmh0
dHA6Ly9jcmwucjJtMDMuYW1hem9udHJ1c3QuY29tL3IybTAzLmNybDB1BggrBgEF
BQcBAQRpMGcwLQYIKwYBBQUHMAGGIWh0dHA6Ly9vY3NwLnIybTAzLmFtYXpvbnRy
dXN0LmNvbTA2BggrBgEFBQcwAoYqaHR0cDovL2NydC5yMm0wMy5hbWF6b250cnVz
dC5jb20vcjJtMDMuY2VyMAwGA1UdEwEB/wQCMAAwggF8BgorBgEEAdZ5AgQCBIIB
bASCAWgBZgB1AHb/iD8KtvuVUcJhzPWHujS0pM27KdxoQgqf5mdMWjp0AAABjBFh
5FoAAAQDAEYwRAIgdl5TwBaWGB2s0y9PczO+lkICJ/5xe92SuFptxqGdA3ECIGaz
YiTB4W757gdZx7t/3Hej2VMT538qFNzsWd8SyTxVAHUASLDja9qmRzQP5WoC+p0w
6xxSActW3SyB2bu/qznYhHMAAAGMEWHkSQAABAMARjBEAiAD0xNQ3fPXlPCxzxN3
nWp8T5HuKJunJCEl0jT9TV8ynwIgcA2qbGoYq2f7LgiBqTUsuq44lw9X++VeH+Mt
KQWBxosAdgDatr9rP7W2Ip+bwrtca+hwkXFsu1GEhTS9pD0wSNf7qwAAAYwRYeSB
AAAEAwBHMEUCIH7KAjYMhhsf0PgbKSpyCxF3R9zvA+vxDWFfxwa36oJ9AiEAu1iW
dTtNr4cJLkBUVaEOI9VbbqI4Wt5lQu/y4h1W+10wDQYJKoZIhvcNAQELBQADggEB
AJ0cL9kopSiPL/Sk2Zubr/QHDPUYHkV8xA2+gTd/q5kxikrz0fcu8uTkW4MdSSq/
kGbiYGvebkeLwjikcSGWzfcgfBBOIwkpOO3yUyHMrUBRkf3Wedym/xCmGNXqgWGM
jKwV9CLzDdpQByB9umv7DGy40TAFyznc4Lv2EnEUnS7XJwhkHRQvAxySrKVTrk3h
ly1Sq9xRzBqwhUyVjNWWInTN5scIneZf0KBx2IKQyMnPG2d4jdM5eCR9xUWpjdSQ
UURtIzeZfBjFDWQoDXoORfmEEsGBzwLjnGW3OszHdJCwk0IQWq7SK9qtmpkBFCsr
DW6HIGkTVVSh7yAwAxQi36U=
-----END CERTIFICATE-----
1 s:C = US, O = Amazon, CN = Amazon RSA 2048 M03
i:C = US, O = Amazon, CN = Amazon Root CA 1
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Aug 23 22:26:04 2022 GMT; NotAfter: Aug 23 22:26:04 2030 GMT
-----BEGIN CERTIFICATE-----
MIIEXjCCA0agAwIBAgITB3MSTNQG0mfAmRzdKZqfODF5hTANBgkqhkiG9w0BAQsF
ADA5MQswCQYDVQQGEwJVUzEPMA0GA1UEChMGQW1hem9uMRkwFwYDVQQDExBBbWF6
b24gUm9vdCBDQSAxMB4XDTIyMDgyMzIyMjYwNFoXDTMwMDgyMzIyMjYwNFowPDEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEcMBoGA1UEAxMTQW1hem9uIFJT
QSAyMDQ4IE0wMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALd/pVko
8vuM475Tf45HV3BbCl/B9Jy89G1CRkFjcPY06WA9lS+7dWbUA7GtWUKoksr69hKM
wcMsNpxlw7b3jeXFgxB09/nmalcAWtnLzF+LaDKEA5DQmvKzuh1nfIfqEiKCQSmX
Xh09Xs+dO7cm5qbaL2hhNJCSAejciwcvOFgFNgEMR42wm6KIFHsQW28jhA+1u/M0
p6fVwReuEgZfLfdx82Px0LJck3lST3EB/JfbdsdOzzzg5YkY1dfuqf8y5fUeZ7Cz
WXbTjujwX/TovmeWKA36VLCz75azW6tDNuDn66FOpADZZ9omVaF6BqNJiLMVl6P3
/c0OiUMC6Z5OfKcCAwEAAaOCAVowggFWMBIGA1UdEwEB/wQIMAYBAf8CAQAwDgYD
VR0PAQH/BAQDAgGGMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNV
HQ4EFgQUVdkYX9IczAHhWLS+q9lVQgHXLgIwHwYDVR0jBBgwFoAUhBjMhTTsvAyU
lC4IWZzHshBOCggwewYIKwYBBQUHAQEEbzBtMC8GCCsGAQUFBzABhiNodHRwOi8v
b2NzcC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbTA6BggrBgEFBQcwAoYuaHR0cDov
L2NydC5yb290Y2ExLmFtYXpvbnRydXN0LmNvbS9yb290Y2ExLmNlcjA/BgNVHR8E
ODA2MDSgMqAwhi5odHRwOi8vY3JsLnJvb3RjYTEuYW1hem9udHJ1c3QuY29tL3Jv
b3RjYTEuY3JsMBMGA1UdIAQMMAowCAYGZ4EMAQIBMA0GCSqGSIb3DQEBCwUAA4IB
AQAGjeWm2cC+3z2MzSCnte46/7JZvj3iQZDY7EvODNdZF41n71Lrk9kbfNwerK0d
VNzW36Wefr7j7ZSwBVg50W5ay65jNSN74TTQV1yt4WnSbVvN6KlMs1hiyOZdoHKs
KDV2UGNxbdoBYCQNa2GYF8FQIWLugNp35aSOpMy6cFlymFQomIrnOQHwK1nvVY4q
xDSJMU/gNJz17D8ArPN3ngnyZ2TwepJ0uBINz3G5te2rdFUF4i4Y3Bb7FUlHDYm4
u8aIRGpk2ZpfXmxaoxnbIBZRvGLPSUuPwnwoUOMsJ8jirI5vs2dvchPb7MtI1rle
i02f2ivH2vxkjDLltSpe2fiC
-----END CERTIFICATE-----
2 s:C = US, O = Amazon, CN = Amazon Root CA 1
i:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: May 25 12:00:00 2015 GMT; NotAfter: Dec 31 01:00:00 2037 GMT
-----BEGIN CERTIFICATE-----
MIIEkjCCA3qgAwIBAgITBn+USionzfP6wq4rAfkI7rnExjANBgkqhkiG9w0BAQsF
ADCBmDELMAkGA1UEBhMCVVMxEDAOBgNVBAgTB0FyaXpvbmExEzARBgNVBAcTClNj
b3R0c2RhbGUxJTAjBgNVBAoTHFN0YXJmaWVsZCBUZWNobm9sb2dpZXMsIEluYy4x
OzA5BgNVBAMTMlN0YXJmaWVsZCBTZXJ2aWNlcyBSb290IENlcnRpZmljYXRlIEF1
dGhvcml0eSAtIEcyMB4XDTE1MDUyNTEyMDAwMFoXDTM3MTIzMTAxMDAwMFowOTEL
MAkGA1UEBhMCVVMxDzANBgNVBAoTBkFtYXpvbjEZMBcGA1UEAxMQQW1hem9uIFJv
b3QgQ0EgMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALJ4gHHKeNXj
ca9HgFB0fW7Y14h29Jlo91ghYPl0hAEvrAIthtOgQ3pOsqTQNroBvo3bSMgHFzZM
9O6II8c+6zf1tRn4SWiw3te5djgdYZ6k/oI2peVKVuRF4fn9tBb6dNqcmzU5L/qw
IFAGbHrQgLKm+a/sRxmPUDgH3KKHOVj4utWp+UhnMJbulHheb4mjUcAwhmahRWa6
VOujw5H5SNz/0egwLX0tdHA114gk957EWW67c4cX8jJGKLhD+rcdqsq08p8kDi1L
93FcXmn/6pUCyziKrlA4b9v7LWIbxcceVOF34GfID5yHI9Y/QCB/IIDEgEw+OyQm
jgSubJrIqg0CAwEAAaOCATEwggEtMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/
BAQDAgGGMB0GA1UdDgQWBBSEGMyFNOy8DJSULghZnMeyEE4KCDAfBgNVHSMEGDAW
gBScXwDfqgHXMCs4iKK4bUqc8hGRgzB4BggrBgEFBQcBAQRsMGowLgYIKwYBBQUH
MAGGImh0dHA6Ly9vY3NwLnJvb3RnMi5hbWF6b250cnVzdC5jb20wOAYIKwYBBQUH
MAKGLGh0dHA6Ly9jcnQucm9vdGcyLmFtYXpvbnRydXN0LmNvbS9yb290ZzIuY2Vy
MD0GA1UdHwQ2MDQwMqAwoC6GLGh0dHA6Ly9jcmwucm9vdGcyLmFtYXpvbnRydXN0
LmNvbS9yb290ZzIuY3JsMBEGA1UdIAQKMAgwBgYEVR0gADANBgkqhkiG9w0BAQsF
AAOCAQEAYjdCXLwQtT6LLOkMm2xF4gcAevnFWAu5CIw+7bMlPLVvUOTNNWqnkzSW
MiGpSESrnO09tKpzbeR/FoCJbM8oAxiDR3mjEH4wW6w7sGDgd9QIpuEdfF7Au/ma
eyKdpwAJfqxGF4PcnCZXmTA5YpaP7dreqsXMGz7KQ2hsVxa81Q4gLv7/wmpdLqBK
bRRYh5TmOTFffHPLkIhqhBGWJ6bt2YFGpn6jcgAKUj6DiAdjd4lpFw85hdKrCEVN
0FE6/V1dN2RMfjCyVSRCnTawXZwXgWHxyvkQAiSr6w10kY17RSlQOYiypok1JR4U
akcjMS9cmvqtmg5iUaQqqcT5NJ0hGA==
-----END CERTIFICATE-----
3 s:C = US, ST = Arizona, L = Scottsdale, O = "Starfield Technologies, Inc.", CN = Starfield Services Root Certificate Authority - G2
i:C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Sep 2 00:00:00 2009 GMT; NotAfter: Jun 28 17:39:16 2034 GMT
-----BEGIN CERTIFICATE-----
MIIEdTCCA12gAwIBAgIJAKcOSkw0grd/MA0GCSqGSIb3DQEBCwUAMGgxCzAJBgNV
BAYTAlVTMSUwIwYDVQQKExxTdGFyZmllbGQgVGVjaG5vbG9naWVzLCBJbmMuMTIw
MAYDVQQLEylTdGFyZmllbGQgQ2xhc3MgMiBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0
eTAeFw0wOTA5MDIwMDAwMDBaFw0zNDA2MjgxNzM5MTZaMIGYMQswCQYDVQQGEwJV
UzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTElMCMGA1UE
ChMcU3RhcmZpZWxkIFRlY2hub2xvZ2llcywgSW5jLjE7MDkGA1UEAxMyU3RhcmZp
ZWxkIFNlcnZpY2VzIFJvb3QgQ2VydGlmaWNhdGUgQXV0aG9yaXR5IC0gRzIwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVDDrEKvlO4vW+GZdfjohTsR8/
y8+fIBNtKTrID30892t2OGPZNmCom15cAICyL1l/9of5JUOG52kbUpqQ4XHj2C0N
Tm/2yEnZtvMaVq4rtnQU68/7JuMauh2WLmo7WJSJR1b/JaCTcFOD2oR0FMNnngRo
Ot+OQFodSk7PQ5E751bWAHDLUu57fa4657wx+UX2wmDPE1kCK4DMNEffud6QZW0C
zyyRpqbn3oUYSXxmTqM6bam17jQuug0DuDPfR+uxa40l2ZvOgdFFRjKWcIfeAg5J
Q4W2bHO7ZOphQazJ1FTfhy/HIrImzJ9ZVGif/L4qL8RVHHVAYBeFAlU5i38FAgMB
AAGjgfAwge0wDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAYYwHQYDVR0O
BBYEFJxfAN+qAdcwKziIorhtSpzyEZGDMB8GA1UdIwQYMBaAFL9ft9HO3R+G9FtV
rNzXEMIOqYjnME8GCCsGAQUFBwEBBEMwQTAcBggrBgEFBQcwAYYQaHR0cDovL28u
c3MyLnVzLzAhBggrBgEFBQcwAoYVaHR0cDovL3guc3MyLnVzL3guY2VyMCYGA1Ud
HwQfMB0wG6AZoBeGFWh0dHA6Ly9zLnNzMi51cy9yLmNybDARBgNVHSAECjAIMAYG
BFUdIAAwDQYJKoZIhvcNAQELBQADggEBACMd44pXyn3pF3lM8R5V/cxTbj5HD9/G
VfKyBDbtgB9TxF00KGu+x1X8Z+rLP3+QsjPNG1gQggL4+C/1E2DUBc7xgQjB3ad1
l08YuW3e95ORCLp+QCztweq7dp4zBncdDQh/U90bZKuCJ/Fp1U1ervShw3WnWEQt
8jxwmKy6abaVd38PMV4s/KCHOkdp8Hlf9BRUpJVeEXgSYCfOn8J3/yNTd126/+pZ
59vPr5KW7ySaNRB6nJHGDn2Z9j8Z3/VyVOEVqQdZe4O/Ui5GjLIAZHYcSNPYeehu
VsyuLAOQ1xk4meTKCRlb/weWsKh/NEnfVqn3sF/tM+2MR7cwA130A4w=
-----END CERTIFICATE-----
---
Server certificate
subject=CN = dynatrace.com
issuer=C = US, O = Amazon, CN = Amazon RSA 2048 M03
---
No client certificate CA names sent
Peer signing digest: SHA512
Peer signature type: RSA
Server Temp Key: ECDH, prime256v1, 256 bits
---
SSL handshake has read 6758 bytes and written 441 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES128-GCM-SHA256
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES128-GCM-SHA256
Session-ID: 58A9294A0FCF5726D3A3B1BD66A5CED4A53FD0673195AD72B55EE2A22C651BC8
Session-ID-ctx:
Master-Key: 0911F6B1868DE53458F989521FB112D03AB2B4898D5FD40D4846768C1DF00440D59690B3B8A970F876D83855F059ADD7
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1727332107
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
---
DONE