locked
Certificate Chain Incomplete says Qualys SSL Labs scan of my ADFS WAP RRS feed

  • Question

  • Hello

    I tried to find out if anyone else in this Forum had run into this in the past but couldn't find any previous post about this in relation to ADFS so here goes:

    I just performed a Qualys SSL Labs scan on my ADFS WAPs (https://www.ssllabs.com/ssltest/index.html).

    Qualys tells me that the certificate chain is incomplete thus degrades the grade for my ADFS WAPs to grade B.

    The certificate I use is issued by Symantec and chains to another Symantec Intermediate CA certificate (Symantec Class 3 Secure Server SHA256 SSL CA) which in turn chains to the Symantec Root CA certificate (VeriSign Universal Root Certification Authority).

    I have these certificates installed on all ADFS WAPs in the "Computer Account" Certificate Store.

    Symantec Class 3 Secure Server SHA256 SSL CA is in the Intermediate Certification Authorities/Certificates folder and

    VeriSign Universal Root Certification Authority is in the Trusted Root Certification Authorities/certificates folder.

    ADFS WAPs are fine and show no problems/error with regard to the chain.

    Am I missing something? Why is Qualys complaining about the chain being incomplete?

    It displays all three certificates:

    1. Symantec ADFS WAP Certificate for HTTPS/SSL/TLS - "Sent by Server"

    2. Symantec Intermediate CA Certificate - "Extra download"

    3. Symantec Root CA certificate - "In Trust Store"

    Thursday, September 21, 2017 10:52 AM

Answers

  • OK, note to self: Make sure it REALLY is the correct Symantec that's in the Intermediate Certificate store!
    Turned out I had the one called "Symantec Class 3 Extended Validation SHA256 SSL CA" but not the one called "Symantec Class 3 Secure Server SHA256 SSL CA" which is the one that is linked to the certificate I'm using for HTTPS.
    Also a reboot after adding the certificate was required.
    Now Qualys says that the Certificate Chain is OK.

    Friday, September 22, 2017 12:20 PM

All replies

  • OK, note to self: Make sure it REALLY is the correct Symantec that's in the Intermediate Certificate store!
    Turned out I had the one called "Symantec Class 3 Extended Validation SHA256 SSL CA" but not the one called "Symantec Class 3 Secure Server SHA256 SSL CA" which is the one that is linked to the certificate I'm using for HTTPS.
    Also a reboot after adding the certificate was required.
    Now Qualys says that the Certificate Chain is OK.

    Friday, September 22, 2017 12:20 PM
  • I usually compare test results from Qualys SSL labs with alternative High-Tech Bridge's SSL/TLS test. Mostly they are the same, but the last one has a better in-depth testing. I also couldn't make both tests to stop complaining about my certificate chain. But Qualys was the first to surrender=). GL. 
    Tuesday, February 27, 2018 7:21 AM