AnsweredAssumed Answered

Help understanding scan results

Question asked by Phil Rigby on Oct 28, 2014
Latest reply on Oct 28, 2014 by Phil Rigby

Hi everyone.  I'm really not an SSL/TLS expert or too familiar with certificates and chains, so this will be a noob question.  Bear with me.

I'm running CentOS 6.5 and using Squid reverse proxy.  I ran the scan tool against my website.  I get this:


Additional Certificates (if supplied)
Certificates provided3 (3744 bytes)
Chain issuesIncomplete, Extra certs, Contains anchor


Certification Paths
Path #1: Trusted
1Sent by
SHA1: 9678f7bc3523e3c597c5cdcae263100d00063144
RSA 2048 bits / SHA256withRSA
2Extra downloadCOMODO RSA Domain Validation Secure Server CA
SHA1: 339cdd57cfd5b141169b615ff31428782d1da639
RSA 2048 bits / SHA384withRSA
3Extra downloadCOMODO RSA Certification Authority
SHA1: f5ad0bcc1ad56cd150725b1c866c30ad92ef21b0
RSA 4096 bits / SHA384withRSA
4Sent by server
In trust store
AddTrust External CA Root
SHA1: 02faf3e291435468607857694df5e45b68851868
RSA 2048 bits / SHA1withRSA
Weak or insecure signature, but no impact on root certificates


So, my questions/issues are:

My chain is incomplete, yet I have "extra" certs?

In the path, #2 and #3 are saying "extra download" - does that mean I have to download and install them?  I have all the certs that Comodo provide and I've put them in ca-bundle.crt.  Or does it mean the client has to download them from the server?


Also I can't get Forward Secrecy to work but I think that'll be another discussion topic.


Any help/advice appreciated!