SSL certificate - browser certification path other than the certificate chain file
I recently purchased a free SSL certificate from Comodo. It comes with a CA package file which contains all intermediate certificates as well as the root certificate. When I run the command "openssl s_client -connect www.mydomain.com:443 -showcerts" it shows the path to the certificate, which looks like this:
depth = 4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root confirm return: 1
depth = 3 C = US, ST = UT, L = Salt Lake City, O = USERTRUST Network, OU = http://www.usertrust.com , CN = UTN-USERFirst-Hardware confirm return: 1
depth = 2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO Certification Center confirm return: 1
depth = 1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = EssentialSSL CA confirm return: 1
depth = 0 OU = Domain Control Verified, OU = Free SSL, CN = www.mydomain.com confirm return: 1
However, when I go to www.mydomain.com in any browser and view the certificate presented by the server, it shows the following certificate path (taken from the IE9 certificate window):
- EssentialSSL CA
Note that there are fewer certificates in the chain (depth 2 versus 4 from the openssl command) and the root certificate is a COMODO certificate and not the AddTrust External CA Root certificate. Can someone explain why the browser shows a different path than the openssl command?
Please note, in both cases, the certificate chain presented by the server passes the validation (check the 0 result from openssl, no browser warnings).
source to share