Yesterday I found one interesting SSL web site which make me stupid. Here is a link:https://trust.beeline.ru/- don't worryif IE indicate this site as untrusted. Just follow to the link and investigate certificates.As I know chaining engine relies on certificate AIA extension to build certificate chain up to root CA. If AIA extension is not present, or is not downlodable, then chaining engine investigate CA and SubCAcertificates in local store using Subject/Key/Exact match.However in this site AIA extension is not downloadable and my local store doesn't contain any certificates from this site certificate chain, however my system can build certificate chain (you can see it in Certification Path).My question is: how chaining engine create this path if AIA extension is invalid? My only onethought is that particular SSL certificate contains this chain. However I don't know how this is realized.Thanks for any good thought :)[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Vadims,My system was not able to build the path. This typically means that at some previous time, you have downloaded a different chain that included the missing certificate(s) and they were available in your cache.The chain that I see is:Vimpelcom Enterprise CA trust.beeline.ruI can see on inspection that the I do not see the Root Vimpelcom CA nor was there an AIA path (as you stated) to download the certificate Maybe during your research, you did download the certificate from the missing AIA URL, or used certutil -addstore to load the certificate?Brian

Hi, Brian! At first I want to thank you for excellent book "Windows Server 2008 PKI and Certificate Security"! This is one of the best book about Windows PKI!Yes, I see the same path:Vimpelcom Enterprise CA trust.beeline.rubut when we configure SSL, we add only particular SSL certificate. This is trust.beeline.ru. But this certificate AIA is broken and my question is - where chaining engine found issuer certificate (Vimpelcom Enterprise CA)? Since AIA is broken, I shouldn't see issuer certificate in certification path. Or I somethingmisunderstand?I haven't added any certificate from this site.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

A partial chain may have been loaded. The best practice is to load the entire chain from a PKCS#7 file at the Web server so that the entire chain is returned to the client during the validation of the Web site.Brian

ok. Can you explain, how to place a partial chain from PKCS#7 fileat web server? I haven't see any docs about how to do it.Thanks![http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Hi Vadims, Glad to see you again. As Brian stated, the web server provides the SSL certificate for the session and sends the certificate chain to the client in the handshake phase. You will find that if you capture the network packets. For more information, you can refer to the page 38 of the RFC2246 (http://www.ietf.org/rfc/rfc2246.txt): certificate_list This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate which specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. If there is anything unclear, please feel free to let me know. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights.

ok, this is clear for me. So, when I request a certificate from CA for my web server - this certificate contains partial certificate chain? I'm correct?[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Or in other words, when you completed the installation of the Web Server certificate, you installed a PKCS#7 file (.p7b) rather than a Single certificate (.crt)Brian

Thanks. Looks like this is exactlywhat I want to know about this. I have figured a web certificate installationfrom PFX file. When I export this certificate I can include certificate path into this PFX file.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Hi, Glad that it helps. Have a nice day. Joson Zhou TechNet Subscriber Support in forum If you have any feedback on our support, please contact tngfb@microsoft.comThis posting is provided "AS IS" with no warranties, and confers no rights.