I am setting up SSL on my Kestrel Linux server using .NET Core 2.1.1.
The SSL certificate is signed by an intermediate CA.
The PFX contains the intermediate and root CA cert.
I load the pfx file as a X509Certificate2 object and use this for the server certificate.
It seems to be that the way I have set this up, the intermediate CA is not sent as part of the handshake and only the leaf is sent (this is very naughty).
return WebHost.CreateDefaultBuilder(args)
.UseStartup<Startup>()
.UseKestrel(options =>
{
options.Listen(IPAddress.Any,443, listenOptions =>
{
listenOptions.UseHttps("ssl.pfx", "password123");
});
}
)
.Build();
So I execute this command and it shows only the leaf but not the intermediate:
openssl s_client -showcerts -connect myserver:443
I expect it to include the intermediate ca and leaf as one would expect like this:
openssl s_client -showcerts -connect google.com:443
I have encountered this very recently and found that the server (debian in this case) hosting the web service required explicit trust in the intermediate cert in addition to the root cert. Without this, it would only send the subject cert, but when I added the intermediate directly to the trust, it started working correctly.