spatie/ssl-certificate-chain-resolver

SSL certificate chain resolver

Maintainers

Details

github.com/spatie/ssl-certificate-chain-resolver

Homepage

Source

Installs: 6 229

Dependents: 0

Suggesters: 1

Security: 0

Stars: 305

Watchers: 10

Forks: 40

3.0.1 2023-12-18 14:28 UTC

Requires

Requires (Dev)

MIT 7f902475020b698fcb581b35d204807faf88c6db

  • Freek Van der Herten <freek.woop@spatie.be>

httpssslChaincertificatessl-certificate-chain-resolver

This package is auto-updated.

Last update: 2024-04-18 15:14:53 UTC

README

Latest Version Software License Build Status Quality Score StyleCI Total Downloads

All operating systems contain a set of default trusted root certificates. But Certificate Authorities usually don't use their root certificate to sign customer certificates. They use so called intermediate certificates instead, because these can be rotated more frequently.

If not all intermediate certificates are installed on your server, some clients —mostly mobile browsers— will think you are on an insecure connection.

This tool can help you fix the incomplete certificate chain issue, also reported as Extra download by Qualys SSL Server Test.

Spatie is a webdesign agency in Antwerp, Belgium. You'll find an overview of all our open source projects on our website.

Support us

68747470733a2f2f6769746875622d6164732e73332e65752d63656e7472616c2d312e616d617a6f6e6177732e636f6d2f73736c2d63657274696669636174652d636861696e2d7265736f6c7665722e6a70673f743d31

We invest a lot of resources into creating best in class open source packages. You can support us by buying one of our paid products.

We highly appreciate you sending us a postcard from your hometown, mentioning which of our package(s) you are using. You'll find our address on our contact page. We publish all received postcards on our virtual postcard wall.

Postcardware

You're free to use this package (it's MIT-licensed), but if it makes it to your production environment you are required to send us a postcard from your hometown, mentioning which of our package(s) you are using.

Our address is: Spatie, Kruikstraat 22, 2018 Antwerp, Belgium.

The best postcards will get published on the open source page on our website.

Installation

This package can be installed using composer by running this command.

composer global require spatie/ssl-certificate-chain-resolver

Usage

Let's assume you have an incomplete certificate called cert.crt. To generate the a file containing the certificate and the entire trust chain, you can use this command:

ssl-certificate-chain-resolver resolve cert.crt

A file containing the certificate and the entire trust chain will be saved as certificate-including-trust-chain.crt

You can also pass the name of the file of the outputfile as the second argument:

ssl-certificate-chain-resolver resolve cert.crt your-output-file.crt

If the outputfile already exists, you will be asked if it's ok to overwrite it.

Updating

You can update ssl-certificate-chain-resolver to the latest version by running:

composer global update spatie/ssl-certificate-chain-resolver

Limitations

Currently this package does not work with Entity validation certificates or certificates issued by Let's Encrypt. A PR that adds this to package would be highly appreciated.

Testing

Functional and unit tests are included with the package.

You can run them yourself with vendor/bin/codecept run

Credits

This package was inspired by cert-chain-resolver written by Jan Žák. Some text, mainly the background about the trust chain, was copied from the readme of his repo.

Background: the trust chain

All operating systems contain a set of default trusted root certificates. But Certificate Authorities usually don't use their root certificate to sign customer certificates. Instead of they use so called intermediate certificates, because they can be rotated more frequently.

A certificate can contain a special Authority Information Access extension (RFC-3280) with URL to issuer's certificate. Most browsers can use the AIA extension to download missing intermediate certificate to complete the certificate chain. This is the exact meaning of the Extra download message. But some clients, mostly mobile browsers, don't support this extension, so they report such certificate as untrusted.

This results in 'untrusted'-warnings like this, since the browser thinks you are on an insecure connection.

Untrusted Warning

A server should always send a complete chain, which means concatenated all certificates from the certificate to the trusted root certificate (exclusive, in this order), to prevent such issues. So when installing a SSL certificate on a server you should install all intermediate certificates as well. You should be able to fetch intermediate certificates from the issuer and concat them together by yourself.

This tool helps you automatize that boring task by looping over certificate's AIA extension field.

About Spatie

Spatie is a webdesign agency in Antwerp, Belgium. You'll find an overview of all our open source projects on our website.

License

The MIT License (MIT). Please see License File for more information.