12

I recently visited the Qualys SSL Server Test to confirm that a Namecheap certificate was installed properly. Everything looked fine except for one chain issue ("Contains anchor"):

Certificate chain

It seems that I should be able to resolve this issue by removing the AddTrust External CA Root, which is already present in (most?) trust stores. However, Namecheap's own installation instructions explicitly state that this is one of the three certificates in their CA bundle:

  • ComodoRSADomainValidationSecureServerCA.crt
  • COMODORSAAddTrustCA.crt
  • AddTrustExternalCARoot.crt

Is it safe to ignore Namecheap's instructions and remove the AddTrust External CA Root certificate from the chain? If so, why would Namecheap include it in the first place?

Chris Frederick
  • 271
  • 3
  • 9

2 Answers2

14

There's no use to including it. If the client browser or library has it as a trusted certificate then it obviously doesn't need another copy, if it doesn't have it then including it isn't going to make it trust it.

I have no idea why Namecheap would include it in their instructions. Abundance of caution? It's not an error or spec compliance violation to include it. Your site will work fine with it present. It will however add (very) slightly to the handshake processing time and serves no other practical purpose which is why Qualys includes it as a warning.

https://community.qualys.com/thread/11234

Jeff Snider
  • 3,272
  • 18
  • 17
  • 1
    Maybe they believe that if the client browser doesn't trust their CA cert, the user would like to add that CA cert to the list of trusted roots, but she'd need to have the CA cert to do this, wouldn't she. – Joker_vD Oct 27 '17 at 11:39
  • 2
    @Joker_vD That's unlikely in browsers. A bit more likely if the certificate is meant for use in IoT or embedded devices, where a 'standard' set of root certificates is not necessarily installed. Still, people working on those kinds of Operating Systems should be able to download the root cert from the CA's website just as easily. It's weird. – Martijn Heemels Oct 27 '17 at 13:15
  • Note: There are some edge cases where including the root makes sense; i.e. with LetsEncrypt certificates, since Sept 2021 a new root was provided which isn't trusted on older Android devices. As such, they recommend you include a copy of the root, which they've cross signed with an older (albeit expired) root which is trusted. Older Android devices don't check expiry dates so that isn't an issue / resolves the issue of the real root not being trusted. – JohnLBevan Nov 09 '22 at 08:38
5

It looks like some others have had this issue- and yes, it might be safe to ignore NameCheap config instructions per the link:

Yes, that's correct. It's not an issue in the sense that the anchor is not allowed, but that the extra certificate (which serves no purpose) is increasing the handshake latency. Some people care about that, which is why provide the information in the test.

conorb
  • 311
  • 1
  • 5