0

I am very new to the world of server and networking, I hope the questions is clear and won't be so trivial. I recently came across the following scenario:

  1. There was a Root cert A, which is going to expire a few months later. There was another new Root cert B, which intended to be replacement of A. Both A & B are self-signed. The CA of A is trusted by old and new browsers / OS, while the CA of B is only trusted by modern browers / OS

  2. There was a cross certificate A->B (B signed by A) which is currently using in our servers. However as A is going to expire soon, we applied another cross certificate C->B (B signed by C, which CA of C is trusted by both old and new browsers / OS) as a replacement.

  3. Now, in UAT environment, we update the cert C->B, and for client side I try to use some legacy browsers for testing, I verified only CA of A and CA of C are trusted, while CA of B is not. For PROD environment, we remain unchange i.e. using the cert A->B

  4. I access UAT site with the browser mentioned, and verified the certificate used is A->B, for the first time. Surprisingly, for subsequent access to both UAT and PROD sites, the certificate used is C->B (checked in client side).

My question is, is this normal behavior? Why client side "knows" to use C->B since the first access of UAT sites? I also use openssl s_client to verify the PROD server is still using A->B. How does browsers know which cert to use and "update" the cert accordingly?

Edited on 2022-Dec-13

  1. Our main purpose is that to support both very old browsers / OS and modern browsers / OS. i.e. All browsers can access our site successfully even after cert A is expired.
  2. I think my main question, or doubt, is that if the following is true:
  • Old browsers, for the first time accessing UAT site, it shows that the server is using cert A->B due to some caching mechanism
  • After 1st access to the UAT site, server actually "push" the new cert C->B to client side which is configured in the server. Now, browsers, or even OS level acknowledged that the latest cert is C->B, not A->B anymore.
  • Although C->B is acknowledged, the cert A->B is still saved in the browser / OS. But the browser somehow knows to verify with the newer cert C->B. Meaning our purpose can be acheived.
Improve this question
1
  • If this is a Microsoft browser, it is actually a function of the operating system, not the browser. Commented Dec 11, 2022 at 10:31

1 Answer 1

Reset to default
0

Does this answer your question?

From the link, clearing the browser cache/SSL state might be what you need to do:

Web browsers cache SSL certificates to speed up the browsing experience. Normally, this is not a problem. However, when you are developing pages for your web site or installing a new certificate, the browser's SSL state can get in the way. For example, you might not see the padlock icon in the browser's address bar after you install a new SSL certificate.

Improve this answer
5
  • 1
    Please edit your answer to provide context for the link. External links unfortunately are not permanent. Relevant parts should be quoted, such that your post provides the answer, with the link as reference and further reading. serverfault.com/help/how-to-answer Commented Dec 11, 2022 at 2:10
  • It does help a bit but not exactly, thanks so much anyway. See if you may get a better understanding of my confusion after my latest editing Commented Dec 13, 2022 at 1:51
  • @shole based on your last update then it is working, right? Commented Dec 14, 2022 at 16:56
  • @A.Trevelyan My question is more about the "Why", or as my last update: Is the following true? Seems I don't have an direct answer yet Commented Dec 15, 2022 at 2:13
  • @shole the steps as you've described in your last update seem logical, especially based on the info I originally linked. I would've expected that the old cert shouldn't even be showing anymore after updating though, since the cert was updated on the server - but I don't know how this update was performed or if the server still has access to the old cert why it would still show at all, so I can't say too much there. What I would do as a check is to use a new device, or clear all temporary internet files from a test device (so it has nothing cached), access the site, and see which cert you get. Commented Dec 15, 2022 at 3:53

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.