Should I need to provide a root certificate when setting SSL cert on nginx
In Qualys SSL test always warn me that the root certificate is an extra download and can be safely removed.
However, from Comodo website, their guide on installing cert on nginx is
NGINX Needed for this task: * PEM encoded certificates (Root, Intermediate(s) and
Domain/Device) COMBINE (CONCATENATE) MULTIPLE CERTIFICATES INTO ONE FILE
You know, they are a CA and be the authentic answser. So, which one I should trust?
Updates: I also gather more advises from other CA as well
Suggest adding the root cert
- https://support.globalsign.com/customer/portal/articles/1290470-install-certificate---nginx
- https://support.comodo.com/index.php?/Knowledgebase/List/Index/37/certificate-installation
- https://www.namecheap.com/support/knowledgebase/article.aspx/9419/0/nginx
Suggest no need the root cert
- https://www.digicert.com/ssl-certificate-installation-nginx.htm
- https://www.geocerts.com/install/nginx
- https://www.ssllabs.com/ssltest/
So so confusing?
Solution 1:
Both, Qualys SSL test and Comodo are correct. Comodo is correct from the server-side code perspective. Nginx should trust certificates it uses.
On the other hand, Qualys SSL test is correct from network protocol perspective. During SSL negotiation, server must send its own SSL certificate and all intermediate CA certificates except root certificate. A reference from RFC 5246 §7.4.2:
certificate_list This is a sequence (chain) of certificates. The sender's certificate MUST come first in the list. Each following certificate MUST directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate that specifies the root certificate authority MAY be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case.
Solution 2:
The point of certificate chain validation is that you have locally trusted (root) certificates and from that you defer trust to certificates send by the peer. So the server should only send the leaf certificate and the intermediate certificates needed to built the trust chain from a local root certificate to the leaf certificate. Which means that you should not send the root certificate but if you don't it gets usually ignored.
And you should make sure that you add the certificates in the correct order, that is first the leaf certificate and then the chain certificates in the correct signing order. Some servers or clients might work around a wrong order but you should not count on it.