Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Arnon_Azmon
Explorer

"The server certificate chain is incomplete" SSL Labs VPN validation

Hi,

We use a wildcard certificate purchased from a well known CA for our SSL-VPN portal.

When browsing to our VPN site everything's seems OK with the cert and the cert path.

When using SSL-Labs to check our VPN site it gives a score B due to "The server certificate chain is incomplete".

In the certificate path it shows:

ssllabs.JPG

 

 

 

 

 

 

 

 

 

 

 

Does the "Extra Download" means that that part of the chain isn't in the FW's trusted root?

How should I approach this?

 

Thank you

0 Kudos
Reply
5 Replies

You need to provide to SSL Labs the whole chain of certificates. The certificate file shall include one after another: Root CA cert + Intermediate certs (if any) +  SSL VPN cert. Don't think the order is important...

0 Kudos
Reply
Arnon_Azmon
Explorer

If I understand you correctly, you mean that the certificate I uploaded to SmartDashboard and use for the VPN portal doesn't include the intermediate cert, which doesn't bother the FW nor the users' browsers, but it does bother the SSL Labs' test?

 

0 Kudos
Reply
PhoneBoy
Admin
Admin

What you upload to SmartDashboard should include the relevant certificate as well as all the intermediate certificates.
This is also necessary for some clients as well.

0 Kudos
Reply

( I am sorry for the late reply I am not getting notifications from CheckMates lately for some reason. )

To your question... Yes, what PhoneBoy said, it is best to pack all the chain and upload it to SmartConsole.

0 Kudos
Reply
Arnon_Azmon
Explorer

OK, thank you both, I'll give it a try and update

0 Kudos
Reply