Skip to content

Grading Checklist: TLS Works From Some Clients But Fails From Others

  • Used openssl s_client to examine the certificate chain sent by the server
  • Identified that the intermediate certificate is missing from the chain
  • Explained why browsers work (AIA fetching, cached intermediates) but strict clients fail
  • Described the correct certificate chain: leaf -> intermediate(s) -> root
  • Noted that the server should send leaf + intermediate(s) but NOT the root
  • Identified the missing intermediate certificate by checking the leaf cert's Issuer field
  • Proposed fix: concatenate leaf + intermediate into the correct bundle file
  • Showed the correct order for the certificate bundle file
  • Mentioned verification steps: openssl s_client, curl, SSL Labs re-test
  • Explained AIA (Authority Information Access) and why some browsers can auto-fetch intermediates
  • Connected the issue to the recent certificate renewal (new cert, old/missing bundle)
  • Recommended automating certificate deployment to include chain in future renewals