How do I validate the ssl chain served by server for a internal site ? I found online tools like ssl labs that do this but they don't work for a internal network site . I tried OpenSSL and inputted site url and it says the site's chain is ok. But still we are having issues with some Android devices not trusting the server . Is there any other way to validate the certificate chain being served by my server ?
Asked
Active
Viewed 286 times
0
-
What is the root CA certificate (and intermediate) you use for this internal site? On those Android devices, do they have the root certificate trusted? Chain validation can be done manually. – Lex Li Sep 15 '22 at 15:42
-
Root CA is Comodo CA limited - AAA certificate services and its trusted by default in Android. Could see it in their system certificates list. – Naresh Kumar Sep 15 '22 at 16:30
-
Then can you edit the question and show the exact Android error messages? From a browser or from a certain app? – Lex Li Sep 15 '22 at 18:28
1 Answers
1
For public HTTPS endpoints, we can use an online service to check its certificate. For Azure SignalR Service instances, you can use the lonos SSL checker. There are also other SSL certificate testing services online, such as the one from SSLlabs.com.
If you can't use a browser or an online service - possibly because the internal environment prevents getting the provided certificate chain in this way. You can use a network trace to see the certificate chain, such as that obtained with Wireshark. In TLS negotiation, after Client Hello and Server Hello, the server will present its certificate to authenticate itself to the client. So, in the network trace, you see certificates, each with its serial number and issuer information.
More information can be obtained from this blog。
YurongDai
- 1,362
- 1
- 2
- 7