I have a RapidSSL certificate and the instructions asks me to include : RapidSSL SHA256 CA – G3, GeoTrust Global CA root and the Equifax Secure Certificate Authority root in my chain.
However, this creates all sorts of warnings in SSLLabs.com (SHA1withRSA – WEAK SIGNATURE) with the GeoTrust and Equifax root certs. I'm also seeing the warning "Intermediate certificate has a weak signature. Upgrade to SHA2 as soon as possible to avoid browser warnings".
Now if I remove the GeoTrust and Equifax certs from my chain (and just have my cert + RapidSSL SHA256 CA – G3), it fixes all those warnings and everything looks fine.
It also still displays the "GeoTrust Global CA" cert with the message in green "In trust store".
Am I going to have any SSL issues leaving out the GeoTrust and Equifax certs from my chain?
SSL Labs output (My cert + RapidSSL SHA256 CA – G3) :
Additional Certificates (if supplied)
Certificates provided 2 (2279 bytes)
Chain issues None
#2
Subject RapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
Valid until Fri, 20 May 2022 21:39:32 UTC (expires in 6 years and 9 months)
Key RSA 2048 bits (e 65537)
Issuer GeoTrust Global CA
Signature algorithm SHA256withRSA
Certification Paths
Path #1: Trusted
1 Sent by server www.example.com
Fingerprint: fbea1fc476bcee2eae7a1001e4a37bf560d0c013
RSA 2048 bits (e 65537) / SHA256withRSA
2 Sent by server RapidSSL SHA256 CA - G3
Fingerprint: 0e34141846e7423d37f20dc0ab06c9bbd843dc24
RSA 2048 bits (e 65537) / SHA256withRSA
3 In trust store GeoTrust Global CA Self-signed
Fingerprint: de28f4a4ffe5b92fa3c503d1a349a7f9962a8212
RSA 2048 bits (e 65537) / SHA1withRSA
Weak or insecure signature, but no impact on root certificate
Best Answer
This appears to be a case where CAs have done cross-signing.
There are two chains that end with your certificate:
Chain 1:
Chain 2:
(from your SSL Labs report output)
Really, "Chain 1" is the primary option and "Chain 2" was probably of interest when this GeoTrust CA cert was first introduced and not everyone had the GeoTrust cert (
de28f4a4ffe5b92fa3c503d1a349a7f9962a8212) in their lists, while they probably did all have the Equifax one (d23209ad23d314232174e40d7f9d62139786633a).Both chains are technically still valid but the one starting at the Equifax root is showing its age. It has a 1024 bit root certificate (considered weak now) and the first intermediate cert is SHA1 signed (considered weak now).
I'd say, in this case there's probably little point serving intermediate certificates for "Chain 2".
If you want confirmation, wonder why they are still asking you to serve certificates for "Chain 2" or wonder what the compatibility concerns of not doing so may be, I would recommend that you ask your CA.