https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92199#M18361 <P>What you upload to SmartDashboard should include the relevant certificate as well as all the intermediate certificates.<BR />This is also necessary for some clients as well.</P> Wed, 22 Jul 2020 22:15:05 GMT PhoneBoy 2020-07-22T22:15:05Z https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92151#M18346 <P>Hi,</P><P>We use a wildcard certificate purchased from a well known CA for our SSL-VPN portal.</P><P>When browsing to our VPN site everything's seems OK with the cert and the cert path.</P><P>When using SSL-Labs to check our VPN site it gives a score B due to "The server certificate chain is incomplete".</P><P>In the certificate path it shows:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="ssllabs.JPG" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/7345i0BD928978A05F79E/image-size/large?v=v2&amp;px=999" role="button" title="ssllabs.JPG" alt="ssllabs.JPG" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Does the "Extra Download" means that that part of the chain isn't in the FW's trusted root?</P><P>How should I approach this?</P><P>&nbsp;</P><P>Thank you</P> Wed, 22 Jul 2020 10:54:04 GMT https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92151#M18346 Arnon_Azmon 2020-07-22T10:54:04Z https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92159#M18350 <P>You need to provide to SSL Labs the whole chain of certificates. The certificate file shall include one after another: Root CA cert + Intermediate certs (if any) +&nbsp; SSL VPN cert. Don't think the order is important...</P> Wed, 22 Jul 2020 13:17:31 GMT https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92159#M18350 HristoGrigorov 2020-07-22T13:17:31Z https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92161#M18351 <P>If I understand you correctly, you mean that the certificate I uploaded to SmartDashboard and use for the VPN portal doesn't include the intermediate cert, which doesn't bother the FW nor the users' browsers, but it does bother the SSL Labs' test?</P><P>&nbsp;</P> Wed, 22 Jul 2020 13:58:16 GMT https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92161#M18351 Arnon_Azmon 2020-07-22T13:58:16Z https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92199#M18361 <P>What you upload to SmartDashboard should include the relevant certificate as well as all the intermediate certificates.<BR />This is also necessary for some clients as well.</P> Wed, 22 Jul 2020 22:15:05 GMT https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92199#M18361 PhoneBoy 2020-07-22T22:15:05Z https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92206#M18363 <P>( I am sorry for the late reply I am not getting notifications from CheckMates lately for some reason. )</P> <P>To your question... Yes, what PhoneBoy said, it is best to pack all the chain and upload it to SmartConsole.</P> Thu, 23 Jul 2020 03:32:53 GMT https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92206#M18363 HristoGrigorov 2020-07-23T03:32:53Z https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92211#M18365 <P>OK, thank you both, I'll give it a try and update</P> Thu, 23 Jul 2020 05:16:24 GMT https://community.checkpoint.com/t5/General-Topics/quot-The-server-certificate-chain-is-incomplete-quot-SSL-Labs/m-p/92211#M18365 Arnon_Azmon 2020-07-23T05:16:24Z