Question
Why do I have a 'Self-signed certificate' finding for a certificate that was signed by a public CA?
Answer
There are two potential reasons for the finding:
- The certificate is picked up as 'self-signed' due to the root certificate being included in the certificate chain.
The root certificate is always considered a 'self-signed' certificate and they are not necessary to include in the chain since the operating systems should already have the public CA root certificate for verifying domains.
Using the third party site https://testtls.com/ we can see the chain of trust shows a self signed certificate in the chain by the following 'failed (self signed CA in chain)'.
The issue can also be described as certificate chain contains anchor.
While including the root certificate in the chain may not be a direct security issue, it can lead to confusion and slow the connection process. The best practice is to not include the root certificate in the chain.
|The finding can be removed by checking the box next to the findings and selecting 'Other resolutions -> I have a compensating control’. In the comment section, please note the root certificate from the public CA is included in the chain.
- There is a 'chain of trust' issue where intermediate certificates are unable to link back to the root certificate provided by a Root Certificate Authority (CA). The 'chain of trust' issue will also show using testtls.com.
To resolve, it will be necessary verify which certificates are missing in the chain and update the certificate (full chain bundle) to include all necessary intermediate certificates.