Does client need to install intermediate certificate??
Joined: Jul 31, 2007
My team just got notified that a server is getting a new SSL certificate on short notice. The service is a straight up SSL TCP/IP socket connection, custom format for request/response. They got the certificate from GeoTrust.
They forwarded us a list of instructions from GeoTrust, and one item includes instructions to install the Intermediate Certificate, or this won't work.
Question: Who needs to install the Intermediate Certificate? Client, server, or both?
Our client program runs on a JVM that opens a socket connection (IBM JVM 1.4.2). In checking our trust store, the fingerprints seem to match at least one of the certs that we found on GeoTrust's root certificate page. We're getting an error relating to the certificate chain being wrong. (Actually, we also ran this on IBM JVM 1.6.0, which had more verbose logging, which specified that it was a chaining issue).
I wonder if it's even feasible to install an intermediate cert into our trust store. Even if it works, I wonder if that's best practice, or if I should insist that the other team check the installation of its certs and intermediate certs?
(Just to clarify, this is just unilateral authentication. That is, there is no client-side SSL certificate. Only the server, as with most applications on the Internet).
Joined: Aug 10, 2006
The clients only have the topmost certificates, typically called the root certificates or CA certificates, installed on their systems. On the server side you need to store the server certificate and all intermediate certificates. Thus if the chain you get looks like GeoTrust Root -> GeoTrust Intermediate A -> GeoTrust Intermediate B -> myserver.com then on the server side you need to make sure GeoTrust Intermediate A -> GeoTrust Intermediate B -> myserver.com is installed.
That way, when the client goes to connect to myserver.com the server sends the chain GeoTrust Intermediate A -> GeoTrust Intermediate B -> myserver.com. Now inside every certificate are both an Issuer and a Subject field. The client looks at the issuer field of the start of your chain which is GeoTrust Intermediate A; it says GeoTrust Root. The client then looks in its trusted cert store for the GeoTrust Root certificate and uses it to verify the authenticity of GeoTrust Intermediate A, and then proceeds in like fashion down the whole chain all the way to the myserver.com certificate.
You should never require the client to install anything.