Skip to main content
Security Performance Management
Continuous Monitoring
Vendor Risk Management
Trust Management Hub
Cyber Insurance
National Cybersecurity

Remediation Verification: Missing Intermediate Certificates or Untrusted Root Anchor

Ingrid

A Missing intermediate certificates or untrusted root anchor TLS/SSL Configurations finding indicates that a server may be missing necessary intermediate certificates initially provided by your certificate vendor (they may not have been installed). Alternatively, your existing certificates may not be trusted.

Verifying the Finding

To verify that the issue is still present, use the following OpenSSL command:

$ openssl s_client -connect {IP}:{Port}

Output example:

$ openssl s_client -connect {IP/CIDR}
CONNECTED(00000003)
depth=1 DC = GBL, DC = AME, CN = AME INFRA CA 01
verify error:num=20:unable to get local issuer certificate
verify return:0
write W BLOCK
---
Certificate chain
 0 s:/CN=189ce0a1-ba75-4ebf-aaec-15066a8cc4a8.gwt.cloudapp.net
   i:/DC=GBL/DC=AME/CN=AME INFRA CA 01
 1 s:/DC=GBL/DC=AME/CN=AME INFRA CA 01
   i:/DC=GBL/DC=AME/CN=ameroot
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIHejCCBmKgAwIBAgITOgFo6eH/R13UiJ1l0AAEAWjp4TANBgkqhkiG9w0BAQsF
ADBEMRMwEQYKCZImiZPyLGQBGRYDR0JMMRMwEQYKCZImiZPyLGQBGRYDQU1FMRgw
FgYDVQQDEw9BTUUgSU5GUkEgQ0EgMDEwHhcNMjMwNTE4MTQyMjIwWhcNMjQwNTEy
MTQyMjIwWjBAMT4wPAYDVQQDEzUxODljZTBhMS1iYTc1LTRlYmYtYWFlYy0xNTA2
NmE4Y2M0YTguZ3d0LmNsb3VkYXBwLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAMxC9SzV31mruKZ5uttYutocdNKq1IB5LE24G2/OXKx1gklLNwmo
p7gQJ8br9FNs9EgM5IrAkaMH/QPD9wNqPMFs8EwUIgngzbJ7RmY7/7allwEaoc3Z
J+GLDnjy7JgoCiDbZsNlEYBhORgQhThEiL7QArK6z4IPNKRc4EKlJcVko9isPtJ4
INgm/8pXUkPg7NGuQpn3YqRZusQ4FfIu/JSFBkCbbwPZO+fTZhgCMAVAAuGxjQHB
QYwL6ENJ0WU26AA/GawofKpF6XX/kZQO//Vv1d2ZL4o3xLEYM43AXA7hO4KSRqDi
eCDIr022ta2TlM/DC5z+CKMc7MDIp/Zlb30CAwEAAaOCBGcwggRjMCcGCSsGAQQB
gjcVCgQaMBgwCgYIKwYBBQUHAwEwCgYIKwYBBQUHAwIwPQYJKwYBBAGCNxUHBDAw
LgYmKwYBBAGCNxUIhpDjDYTVtHiE8Ys+hZvdFs6dEoFggvX2K4Py0SACAWQCAQow
ggHaBggrBgEFBQcBAQSCAcwwggHIMGYGCCsGAQUFBzAChlpodHRwOi8vY3JsLm1p
Y3Jvc29mdC5jb20vcGtpaW5mcmEvQ2VydHMvQlkyUEtJSU5UQ0EwMS5BTUUuR0JM
X0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0KS5jcnQwVgYIKwYBBQUHMAKGSmh0dHA6
Ly9jcmwxLmFtZS5nYmwvYWlhL0JZMlBLSUlOVENBMDEuQU1FLkdCTF9BTUUlMjBJ
TkZSQSUyMENBJTIwMDEoNCkuY3J0MFYGCCsGAQUFBzAChkpodHRwOi8vY3JsMi5h
bWUuZ2JsL2FpYS9CWTJQS0lJTlRDQTAxLkFNRS5HQkxfQU1FJTIwSU5GUkElMjBD
QSUyMDAxKDQpLmNydDBWBggrBgEFBQcwAoZKaHR0cDovL2NybDMuYW1lLmdibC9h
aWEvQlkyUEtJSU5UQ0EwMS5BTUUuR0JMX0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0
KS5jcnQwVgYIKwYBBQUHMAKGSmh0dHA6Ly9jcmw0LmFtZS5nYmwvYWlhL0JZMlBL
SUlOVENBMDEuQU1FLkdCTF9BTUUlMjBJTkZSQSUyMENBJTIwMDEoNCkuY3J0MB0G
A1UdDgQWBBQLSfYU3ttj/2f4tDRgbr+uZxUsZjAOBgNVHQ8BAf8EBAMCBaAwWgYD
VR0RBFMwUYJPYXp1cmVnYXRld2F5LTE4OWNlMGExLWJhNzUtNGViZi1hYWVjLTE1
MDY2YThjYzRhOC02YjJiZmI1MWI1MzAuZ3d0LmNsb3VkYXBwLm5ldDCCATUGA1Ud
HwSCASwwggEoMIIBJKCCASCgggEchkJodHRwOi8vY3JsLm1pY3Jvc29mdC5jb20v
cGtpaW5mcmEvQ1JML0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0KS5jcmyGNGh0dHA6
Ly9jcmwxLmFtZS5nYmwvY3JsL0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0KS5jcmyG
NGh0dHA6Ly9jcmwyLmFtZS5nYmwvY3JsL0FNRSUyMElORlJBJTIwQ0ElMjAwMSg0
KS5jcmyGNGh0dHA6Ly9jcmwzLmFtZS5nYmwvY3JsL0FNRSUyMElORlJBJTIwQ0El
MjAwMSg0KS5jcmyGNGh0dHA6Ly9jcmw0LmFtZS5nYmwvY3JsL0FNRSUyMElORlJB
JTIwQ0ElMjAwMSg0KS5jcmwwFwYDVR0gBBAwDjAMBgorBgEEAYI3ewEBMB8GA1Ud
IwQYMBaAFOXZm2f8+Oy6u/DAqJ2KV4i53z5jMB0GA1UdJQQWMBQGCCsGAQUFBwMB
BggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAQEAC3BlCDh39ZkJaiPybnjb9irw
OIw2K/y8ByPIZzLpwfZ7V6LbfdmDcPOMTNrmWxPBb6qcufrVrHejZO6azFLz0fCj
PeVBfWwZjuWJcBaKGl/VdqebY+Fwoibvn96f4MGju44oyRmXCs+F9XxsdZvBmTai
A/24XoQ9bW1A3nkTeUgEC7+FaWASIFJQwljeL818w2AzFdmV6Q/iIjAMJzIF/iDj
JRcBGTL+Q9vVIpd7mbR7hFAZ+RwEJRV6oqNOnYyWjBNNAJpUlmJwJdHcDsNysyAd
zi8XlsJQvaHLNEj/nACJ2Dj1X5kVHaTAHALtg7yBFi9yAo4viazWhvVc/URwiQ==
-----END CERTIFICATE-----
subject=/CN=189ce0a1-ba75-4ebf-aaec-15066a8cc4a8.gwt.cloudapp.net
issuer=/DC=GBL/DC=AME/CN=AME INFRA CA 01
---
No client certificate CA names sent
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 4641 bytes and written 445 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: F8160000DFB68530404573DF7469F9E1C1BE5D7D89443EB8187DBA0E7681D7A1
    Session-ID-ctx: 
    Master-Key: 4137F48BF655651C4A6483E8846414DE6EFEB310ECB5C4947F21D6F8F30A38C6B7204D1AA0B2B49B3D32E33B1D8C5B32
    Start Time: 1696376317
    Timeout   : 7200 (sec)
    Verify return code: 20 (unable to get local issuer certificate)
---

Verification Results

0 (ok)
Successful verification.
Error 20
The certificate issuer could not be found.
Error 21
The root Certificate Authority (CA) is not trusted.

Remediation

Contact your certificate vendor and request that they resend the certificate to have the certificate chain completed.

  • November 29, 2023: Published.
Was this article helpful?
3 out of 11 found this helpful
Return to top

Related articles

Feedback

0 comments

Please sign in to leave a comment.