One of the common issues with certificate validity is keeping track of the CA chain to see if it’s been corrupted. Another issue is keeping track of intermediate certificates to see if they have been removed. This means that the server which is responsible for providing proof of SSL certificate validity does not send the full chain required for a certificate to be validated.

Consequently, this causes browsers not to trust SSL connections from this server, showing a warning when an SSL connection is requested.

Identifying the problem

  1. Navigate to GeoCerts testing tool.
  2. Enter your (CDN) domain in provided field, leave it on port 443 ad hit “Check SSL”:

  3. Resulting chain (if broken) should look like:

Resolution

  1. Find offending chain key and click on “Download” to get missing piece and implement it in your existing CA installed:

  2. Navigate to Edge SSL settings for your zone and place provided missing certificate in appropriate place – In this example, missing part should be placed between third and fourth certificate:

    -----BEGIN CERTIFICATE-----
    ***************************
     -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ***************************
     -----END CERTIFICATE-----
    -----BEGIN CERTIFICATE-----
    ***************************
     -----END CERTIFICATE-----
    
    This is where missing part should be placed
    -----BEGIN CERTIFICATE----- *************************** -----END CERTIFICATE-----
  3. Resulting corrected chain look like the following: