Remediation Verification: Missing Intermediate Certificates or Untrusted Root Anchor Ingrid A Missing intermediate certificates or untrusted root anchor TLS/SSL Configurations finding indicates that a server may be missing necessary intermediate certificates initially provided by your certificate vendor (they may not have been installed). Alternatively, your existing certificates may not be trusted. Verifying the Finding Verification Results Remediation Verifying the Finding To verify that the issue is still present, use the following OpenSSL command: $ openssl s_client -connect {IP}:{Port} Output example: $ openssl s_client -connect {IP/CIDR} CONNECTED(00000003) depth=1 DC = GBL, DC = AME, CN = AME INFRA CA 01 verify error:num=20:unable to get local issuer certificate verify return:0 write W BLOCK --- Certificate chain 0 s:/CN=189ce0a1-ba75-4ebf-aaec-15066a8cc4a8.gwt.cloudapp.net i:/DC=GBL/DC=AME/CN=AME INFRA CA 01 1 s:/DC=GBL/DC=AME/CN=AME INFRA CA 01 i:/DC=GBL/DC=AME/CN=ameroot --- Server certificate -----BEGIN CERTIFICATE----- MIIHejCCBmKgAwIBAgITOgFo6eH/R13UiJ1l0AAEAWjp4TANBgkqhkiG9w0BAQsF ADBEMRMwEQYKCZImiZPyLGQBGRYDR0JMMRMwEQYKCZImiZPyLGQBGRYDQU1FMRgw FgYDVQQDEw9BTUUgSU5GUkEgQ0EgMDEwHhcNMjMwNTE4MTQyMjIwWhcNMjQwNTEy MTQyMjIwWjBAMT4wPAYDVQQDEzUxODljZTBhMS1iYTc1LTRlYmYtYWFlYy0xNTA2 NmE4Y2M0YTguZ3d0LmNsb3VkYXBwLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEP ADCCAQoCggEBAMxC9SzV31mruKZ5uttYutocdNKq1IB5LE24G2/OXKx1gklLNwmo p7gQJ8br9FNs9EgM5IrAkaMH/QPD9wNqPMFs8EwUIgngzbJ7RmY7/7allwEaoc3Z J+GLDnjy7JgoCiDbZsNlEYBhORgQhThEiL7QArK6z4IPNKRc4EKlJcVko9isPtJ4 INgm/8pXUkPg7NGuQpn3YqRZusQ4FfIu/JSFBkCbbwPZO+fTZhgCMAVAAuGxjQHB QYwL6ENJ0WU26AA/GawofKpF6XX/kZQO//Vv1d2ZL4o3xLEYM43AXA7hO4KSRqDi eCDIr022ta2TlM/DC5z+CKMc7MDIp/Zlb30CAwEAAaOCBGcwggRjMCcGCSsGAQQB gjcVCgQaMBgwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIwPQYJKwYBBAGCNxUHBDAw LgYmKwYBBAGCNxUIhpDjDYTVtHiE8Ys+hZvdFs6dEoFggvX2K4Py0SACAWQCAQow ggHaBggrBgEFBQcBAQSCAcwwggHIMGYGCCsGAQUFBzAChlpodHRwOi8vY3JsLm1p Y3Jvc29mdC5jb20vcGtpaW5mcmEvQ2VydHMvQlkyUEtJSU5UQ0EwMS5BTUUuR0JM X0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0KS5jcnQwVgYIKwYBBQUHMAKGSmh0dHA6 Ly9jcmwxLmFtZS5nYmwvYWlhL0JZMlBLSUlOVENBMDEuQU1FLkdCTF9BTUUlMjBJ TkZSQSUyMENBJTIwMDEoNCkuY3J0MFYGCCsGAQUFBzAChkpodHRwOi8vY3JsMi5h bWUuZ2JsL2FpYS9CWTJQS0lJTlRDQTAxLkFNRS5HQkxfQU1FJTIwSU5GUkElMjBD QSUyMDAxKDQpLmNydDBWBggrBgEFBQcwAoZKaHR0cDovL2NybDMuYW1lLmdibC9h aWEvQlkyUEtJSU5UQ0EwMS5BTUUuR0JMX0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0 KS5jcnQwVgYIKwYBBQUHMAKGSmh0dHA6Ly9jcmw0LmFtZS5nYmwvYWlhL0JZMlBL SUlOVENBMDEuQU1FLkdCTF9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3J0MB0G A1UdDgQWBBQLSfYU3ttj/2f4tDRgbr+uZxUsZjAOBgNVHQ8BAf8EBAMCBaAwWgYD VR0RBFMwUYJPYXp1cmVnYXRld2F5LTE4OWNlMGExLWJhNzUtNGViZi1hYWVjLTE1 MDY2YThjYzRhOC02YjJiZmI1MWI1MzAuZ3d0LmNsb3VkYXBwLm5ldDCCATUGA1Ud HwSCASwwggEoMIIBJKCCASCgggEchkJodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v cGtpaW5mcmEvQ1JML0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0KS5jcmyGNGh0dHA6 Ly9jcmwxLmFtZS5nYmwvY3JsL0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0KS5jcmyG NGh0dHA6Ly9jcmwyLmFtZS5nYmwvY3JsL0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0 KS5jcmyGNGh0dHA6Ly9jcmwzLmFtZS5nYmwvY3JsL0FNRSUyMElORlJBJTIwQ0El MjAwMSg0KS5jcmyGNGh0dHA6Ly9jcmw0LmFtZS5nYmwvY3JsL0FNRSUyMElORlJB JTIwQ0ElMjAwMSg0KS5jcmwwFwYDVR0gBBAwDjAMBgorBgEEAYI3ewEBMB8GA1Ud IwQYMBaAFOXZm2f8+Oy6u/DAqJ2KV4i53z5jMB0GA1UdJQQWMBQGCCsGAQUFBwMB BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAC3BlCDh39ZkJaiPybnjb9irw OIw2K/y8ByPIZzLpwfZ7V6LbfdmDcPOMTNrmWxPBb6qcufrVrHejZO6azFLz0fCj PeVBfWwZjuWJcBaKGl/VdqebY+Fwoibvn96f4MGju44oyRmXCs+F9XxsdZvBmTai A/24XoQ9bW1A3nkTeUgEC7+FaWASIFJQwljeL818w2AzFdmV6Q/iIjAMJzIF/iDj JRcBGTL+Q9vVIpd7mbR7hFAZ+RwEJRV6oqNOnYyWjBNNAJpUlmJwJdHcDsNysyAd zi8XlsJQvaHLNEj/nACJ2Dj1X5kVHaTAHALtg7yBFi9yAo4viazWhvVc/URwiQ== -----END CERTIFICATE----- subject=/CN=189ce0a1-ba75-4ebf-aaec-15066a8cc4a8.gwt.cloudapp.net issuer=/DC=GBL/DC=AME/CN=AME INFRA CA 01 --- No client certificate CA names sent Server Temp Key: ECDH, P-384, 384 bits --- SSL handshake has read 4641 bytes and written 445 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: F8160000DFB68530404573DF7469F9E1C1BE5D7D89443EB8187DBA0E7681D7A1 Session-ID-ctx: Master-Key: 4137F48BF655651C4A6483E8846414DE6EFEB310ECB5C4947F21D6F8F30A38C6B7204D1AA0B2B49B3D32E33B1D8C5B32 Start Time: 1696376317 Timeout : 7200 (sec) Verify return code: 20 (unable to get local issuer certificate) --- Verification Results 0 (ok) Successful verification. Error 20 The certificate issuer could not be found. Error 21 The root Certificate Authority (CA) is not trusted. Remediation Contact your certificate vendor and request that they resend the certificate to have the certificate chain completed. November 29, 2023: Published. Related articles Certificate Authorities TLS/SSL Finding Remediation & Remediation Verification TLS/SSL Configurations Finding Messages How is the TLS/SSL Configurations Risk Vector Assessed? How is the Web Application Headers Risk Vector Assessed? Feedback 0 comments Please sign in to leave a comment.