This server certificate is not signed by the CA keys - there is a chain of trust from the CA certificate, to the intermediate certificate that is used to sign the server certificate.

This server certificate is not signed by the CA keys – there is a chain of trust from the CA certificate, to the intermediate certificate that is used to sign the server certificate.

In this test, the server certificate is not signed by the CA you have downloaded and installed earlier. In this case, the CA signs another CA certificate, an intermediate certificate, that is used to sign the server certificate. This means that the server not only sends it’s own certificate to you when you connect, but also the intermediate certificate.

This is quite common for commercial CA certificates. The CA certificate has a long validity period, the intermediate can change more often and has a short expiry time.

A certificate chain of trust

In this case, the client needs to figure out the certificate chain from the CA certificate it already trusts to the intermediate signing certificate to the server certificate and trust the whole chain. You client should be able to successfully verify this chain and connect to this server.

 

 

 

tls-o-matic-success

 

tls-o-matic-next