SSL certificate - browser certification path other than the certificate chain file

I recently purchased a free SSL certificate from Comodo. It comes with a CA package file which contains all intermediate certificates as well as the root certificate. When I run the command "openssl s_client -connect -showcerts" it shows the path to the certificate, which looks like this:

depth = 4 C = SE, O = AddTrust AB, OU = AddTrust External TTP Network, CN = AddTrust External CA Root confirm return: 1

depth = 3 C = US, ST = UT, L = Salt Lake City, O = USERTRUST Network, OU = , CN = UTN-USERFirst-Hardware confirm return: 1

depth = 2 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO Certification Center confirm return: 1

depth = 1 C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = EssentialSSL CA confirm return: 1

depth = 0 OU = Domain Control Verified, OU = Free SSL, CN = confirm return: 1

However, when I go to in any browser and view the certificate presented by the server, it shows the following certificate path (taken from the IE9 certificate window):

  • EssentialSSL CA

Note that there are fewer certificates in the chain (depth 2 versus 4 from the openssl command) and the root certificate is a COMODO certificate and not the AddTrust External CA Root certificate. Can someone explain why the browser shows a different path than the openssl command?

Please note, in both cases, the certificate chain presented by the server passes the validation (check the 0 result from openssl, no browser warnings).


source to share

1 answer

IE9 has comodo ca as a trusted authority in its chain of trust and therefore does not show comodo ca subscribers.

OpenSSL s_client -showcerts shows the entire certificate chain.



All Articles