SSL Chain issues – Contains anchor

Does your SSLLABS report mention ‘Chain issues – Contains anchor’?

Simple fix:

Remove the Root CA from the concatenated certificate file.

Use a text editor open your Root CA file as well as your Certificate file, check what the Root CA starts and end with and remove that section.

-----BEGIN CERTIFICATE-----
MIIGuDCCBKCgAwIBAgIUUk/B8W400XArhKE/sEK7zHw8kDIwDQYJKoZIhvcNAQEL
BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc

Blah Blah

JOVtnRpn3coVfSR/0rz0XKVXeZGnKztGdIMQhWMTxvZ1UpmRAH2Ab2QnVo1fkPVy
qNSJces5Y/VKpIvLBk5Jj55fvK8ME/9ASa+LtLrIms8iYHl75cupuYZZlg8=
-----END CERTIFICATE----- 

Leaving just the Certificate and the Intermediate Certificate in the file.

Restart your web server and retest in SSLLABS.

One comment

  1. Name

    It is a last CA certificate in the chain which signs server cert must be removed.
    If you remove Root CA certificate then you will end up with incomplete chain (B grade) on SSL labs test page.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s