[英]Why does SSLLabs say my certificate is fine when my CA's cert is expired?
I did a scan of my domain using ssllabs.com, and this is what it says:我使用 ssllabs.com 扫描了我的域,这是它所说的:
From what I can tell, one of my CAs is USERTrust RSA Certification Authority, and their certificate is expired, which SSLLabs flagged red, but it still says that there are no chain issues, and no browsers complain about talking to my domain.据我所知,我的一个 CA 是 USERTrust RSA 证书颁发机构,他们的证书已过期,SSLLabs 将其标记为红色,但它仍然表示没有链问题,并且没有浏览器抱怨与我的域交谈。
I did the check after curl was complaining about an expired cert when talking to my domain, which may or may not be related.在 curl 与我的域交谈时抱怨证书过期后,我进行了检查,这可能相关,也可能不相关。
What's going on here?这里发生了什么? How can an expired CA certificate not be a problem?
过期的 CA 证书怎么能不成问题?
The expired certificate is actually not used for validation.过期的证书实际上不用于验证。 It is unnecessarily send by your server, ie you could remove it from the certificate chain you send since modern system have a trusted CA builtin which effectively replaces this expired intermediate CA.
它是由您的服务器不必要地发送的,即您可以将它从您发送的证书链中删除,因为现代系统有一个受信任的 CA 内置,可以有效地替换这个过期的中间 CA。 For more details see for example USERTrust Intermediate Expiration in 2020 .
有关更多详细信息,请参见USERTrust Intermediate Expiration in 2020 。 To cite:
引用:
This is an old intermediate certificate and modern operating systems have a new version available and won't be affected.
这是一个旧的中间证书,现代操作系统有一个可用的新版本,不会受到影响。 ... Based on what we know, equipment released or receiving security updates after June 2010 will most likely not be affected.
... 根据我们所知,2010 年 6 月之后发布或接收安全更新的设备很可能不会受到影响。 ...
...
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.