Should I need to provide a root certificate when setting SSL cert on nginx

security https ssl ssl-certificate certificate-authority

In Qualys SSL test always warn me that the root certificate is an extra download and can be safely removed.

However, from Comodo website, their guide on installing cert on nginx is

NGINX Needed for this task: * PEM encoded certificates (Root, Intermediate(s) and 
Domain/Device) COMBINE (CONCATENATE) MULTIPLE CERTIFICATES INTO ONE FILE

You know, they are a CA and be the authentic answser. So, which one I should trust?

Updates: I also gather more advises from other CA as well

Suggest adding the root cert

  • https://support.globalsign.com/customer/portal/articles/1290470-install-certificate---nginx
  • https://support.comodo.com/index.php?/Knowledgebase/List/Index/37/certificate-installation
  • https://www.namecheap.com/support/knowledgebase/article.aspx/9419/0/nginx

Suggest no need the root cert

  • https://www.digicert.com/ssl-certificate-installation-nginx.htm
  • https://www.geocerts.com/install/nginx
  • https://www.ssllabs.com/ssltest/

So so confusing?


Solution 1:

Both, Qualys SSL test and Comodo are correct. Comodo is correct from the server-side code perspective. Nginx should trust certificates it uses.

On the other hand, Qualys SSL test is correct from network protocol perspective. During SSL negotiation, server must send its own SSL certificate and all intermediate CA certificates except root certificate. A reference from RFC 5246 §7.4.2:

certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.

Solution 2:

The point of certificate chain validation is that you have locally trusted (root) certificates and from that you defer trust to certificates send by the peer. So the server should only send the leaf certificate and the intermediate certificates needed to built the trust chain from a local root certificate to the leaf certificate. Which means that you should not send the root certificate but if you don't it gets usually ignored.

And you should make sure that you add the certificates in the correct order, that is first the leaf certificate and then the chain certificates in the correct signing order. Some servers or clients might work around a wrong order but you should not count on it.

Related

how to choose the correct repository for new software on Centos
Is file /etc/hostname ever used for host name resolution?
What is VSS and what is it used for?
How do I shut down a Windows XP box remotely from a Linux box?
finding user's documents folder in .bat script
What is the best way to backup a Linux webserver? [closed]
Configure DNS to forward email to google
How to analyze space used by tables, indexes
panorama photos on iPhone 6 are too narrow
TiVo videos on a Mac?
Is there a way to display audio bitrate in Finder?
Smaller Album artwork in iTunes 12.5.1.21?