Server certificate not accepted in Mac Safari OS

Question

We have an IIS 7 server with a wildcard certificate. This should work find if you test it in any browser: https://www.profcoach.nl

But when I try to test this in Safari MaxOS Leopard or Lion it doesn't work, the debugger says:

GET https://profcoach.nl/ The certificate for this server is invalid. You might be connecting to a server that is pretending to be “profcoach.nl” which could put your confidential information at risk.

Problem is that it doesn't give me a proper GUI warning popup, it just kills the request.

What could be the exact problem?

Answer 1

A couple of things:

Wildcards are for a given level of the domain. If your wildcard is for "*.example.com", then the bare name "example.com" is not covered. You will need a Subject Alternative Name to cover the additional "example.com".

Second issue:

I'm getting verification failed when going to either URL. For example:

$ curl -Iv https://www.profcoach.nl/
* About to connect() to www.profcoach.nl port 443 (#0)
*   Trying 91.224.164.224... connected
* Connected to www.profcoach.nl (91.224.164.224) port 443 (#0)
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS alert, Server hello (2):
* SSL certificate problem, verify that the CA cert is OK. Details:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

When I look at the cert itself, I see:

$ openssl s_client -connect www.profcoach.nl:443 | openssl x509 -noout -subject
depth=1 /C=BE/O=GlobalSign nv-sa/CN=GlobalSign Domain Validation CA - G2
verify error:num=20:unable to get local issuer certificate
verify return:0
subject= /OU=Domain Control Validated/CN=*.profcoach.nl

So the Common Name should work for www.profcoach.nl.

Did you follow the instructions at the Certificate Authority about installing any intermediate certificates?

https://www.globalsign.com/support/intermediate-root-install.php

They appear to have install instructions for IIS over on the side bar.

Oh, I just realized that Globalsign was the target of Iranian hackers last year (http://www.theregister.co.uk/2011/09/07/globalsign_suspends_ssl_cert_biz/). It's possible they killed their older intermediate certificates, and you will need to make sure you have their current ones installed, so the confusion on the Mac may have to do with that. I would contact their support on this issue to get clarification.

Update

Use the bundle at https://www.globalsign.com/support/intermediate/domain_bundle2011.php. I put that bundle into a file foo.crt, and running curl -Iv --cacert foo.crt https://www.profcoach.nl validates properly:

$ curl -Iv --cacert foo.crt https://www.profcoach.nl
* About to connect() to www.profcoach.nl port 443 (#0)
*   Trying 91.224.164.224... connected
* Connected to www.profcoach.nl (91.224.164.224) port 443 (#0)
* successfully set certificate verify locations:
*   CAfile: foo.crt
  CApath: none
* SSLv3, TLS handshake, Client hello (1):
* SSLv3, TLS handshake, Server hello (2):
* SSLv3, TLS handshake, CERT (11):
* SSLv3, TLS handshake, Server finished (14):
* SSLv3, TLS handshake, Client key exchange (16):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSLv3, TLS change cipher, Client hello (1):
* SSLv3, TLS handshake, Finished (20):
* SSL connection using AES128-SHA
* Server certificate:
*    subject: OU=Domain Control Validated; CN=*.profcoach.nl
*    start date: 2012-07-05 14:59:04 GMT
*    expire date: 2013-07-06 14:59:04 GMT
*    subjectAltName: www.profcoach.nl matched
*    issuer: C=BE; O=GlobalSign nv-sa; CN=GlobalSign Domain Validation CA - G2
*    SSL certificate verify ok.

Answer 2

Problem appeared to be the length of the key of the certificate. It was 8k, after re-issuing the certificate with a 2k keysize it worked like a charm.

Very strange that only Safari on MacOS has this problem!