Creating Certificate Bundles for Application Gateway

There are certain clients that still require a full certificate chain as they may return certificate errors. Certain web servers like IIS can build the chain while others may not serve the full certificate chain in the Server Certificate exchange. Here’s a step-by-step process going through how to detect if this is an issue and steps to take to remediate the problem by bundling the certificate. There are probably multiple ways to accomplish the creating the proper bundle.

Starting with the certificate issued by DigiCert I installed it on my machine and exported the PFX. From OpenSSL and the DigiCert diag tool we see only my leaf certificate is returned.

/mnt/c/users/xxx/downloads$ openssl s_client backend1.brooksjc.com:443
Certificate chain
0 s:CN = *.brooksjc.com
   i:C = US, O = DigiCert Inc, CN = GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1

DigiCert diagnostic tool : https://www.digicert.com/help/

Next I rebuilt my cert chain following the steps outlined here so adding the GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1 and the DigiCert Global Root CA certificate. There may be other methods to accomplish this but this method allowed me make sure I created the chain in the proper order by modifying the raw text file.

1. openssl pkcs12 -in starbrookjc_com.pfx -out starbrookjc_com.pem -nodes
Requires password

2. openssl pkcs12 -in starbrookjc_com.pfx -out starbrookjc_com.pem -nodes -clcerts
Requires password

3. openssl x509 -in starbrookjc_com.pem -out starbrooksjc_com.cer -outform DER
4. Downloaded the Root CA and Intermediate certs from DigiCert matching the serial numbers of what I can see when the browser builds the certificate chain.

 https://www.digicert.com/kb/digicert-root-certificates.htm

5. Appended the output of the PEM files in order (leaf, intermediate, root) that I downloaded from DigiCert
openssl pkcs12 -export -in starbrookjc_com.pem -out starbrookjc_com2.pfx -nodes
How to find the serial number from cert chain in browser to search in step #4

https://stackoverflow.com/questions/6654543/how-to-create-pfx-with-my-chain-of-certificates

We can now see the cert chain I created is sent in the request via OpenSSL or a network trace.

/mnt/c/users/xxx/downloads/certificates$ openssl s_client backend2.brooksjc.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
verify return:1
depth=0 CN = *.brooksjc.com
verify return:1

Certificate chain
0 s:CN = *.brooksjc.com
   i:C = US, O = DigiCert Inc, CN = GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
1 s:C = US, O = DigiCert Inc, CN = GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
2 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
   i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA


Network trace details –



As an aside I ran into a strange issue where I exported the cert from MMC and “Included all certificates in the path if possible” and the certificate order was incorrect. The order in the exported Cert was Leaf -> Root CA -> Intermediate cert. Unsure the exact cause….

/mnt/c/users/xxx/downloads/certificates$ openssl s_client backend2.brooksjc.com:443
CONNECTED(00000003)
depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
verify return:1
depth=1 C = US, O = DigiCert Inc, CN = GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
verify return:1
depth=0 CN = *.brooksjc.com
verify return:1
Certificate chain
0 s:CN = *.brooksjc.com
i:C = US, O = DigiCert Inc, CN = GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
1 s:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA
2 s:C = US, O = DigiCert Inc, CN = GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1
i:C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA