Jump to content


Chain expired, Untrusted

  • Please log in to reply
1 reply to this topic

#1 Anthony.Liddane

  • Members
  • 2 posts

Posted 08 February 2018 - 05:35 AM


We've just purchased a Barracuda SSL VPN appliance, replacing our Juniper SSLVPN. When configuring the appliance we're having issues with adding the SSL certificate. 

After uploading the Root CA cert, the Intermediate CA cert and the Certificate itself, the status shows Chain expired, Untrusted. Though, accessing user login page Chrome shows the green padlock and everything looks secure.


Details of the certificate:


The connection to this site uses TLS 1.2 (a strong protocol), ECDHE_RSA with P-256 (a strong key exchange), and AES_128_CBC with HMAC-SHA1 (an obsolete cipher).


Any idea why we are getting the Chain expired, Untrusted message?




#2 Gavin Chappell

Gavin Chappell
  • Moderators
  • 426 posts
  • LocationNottingham, UK

Posted 09 February 2018 - 11:11 AM

The untrusted text is only a cosmetic error - at some point we upgraded the SSL libraries on the appliance, and this changed the function we use to look up trusted Root Certificate Authorities, such that some of them no longer match the values we expect. However if you follow my SSL Certificate post in this forum, and when you access it in a browser the trust chain is correct, then that's all you need to do. As long as your browser is happy with the trust chain, it doesn't matter whether the UI recognises it.


The expired text suggests that you may have uploaded an expired intermediate/root certificate to the appliance, but the browser has its own trust chain so it is able to verify the leaf certificate (i.e the one specific to your appliance) through its own trust chain. This does happen, some vendors made it impossible to find SHA-256 intermediate CA certificates during the SHA-1->SHA-256 migrations a couple of years ago, so for a while people would see a SHA-256 certificate in their browser trust chain which they had never uploaded to the appliance. This just means that the browser was able to verify the entire chain using a more secure path, so it would do so. It sounds to me like that's what's happening here, the cert you upload is an old one, but it is ignored by your browser in favour of its own trust chain so it's happy that the site is secure.