SSL Chain issues – Contains anchor

Does your SSLLABS report mention ‘Chain issues – Contains anchor’?

Simple fix:

Remove the Root CA from the concatenated certificate file.

Use a text editor open your Root CA file as well as your Certificate file, check what the Root CA starts and end with and remove that section.

-----BEGIN CERTIFICATE-----
MIIGuDCCBKCgAwIBAgIUUk/B8W400XArhKE/sEK7zHw8kDIwDQYJKoZIhvcNAQEL
BQAwSDELMAkGA1UEBhMCQk0xGTAXBgNVBAoTEFF1b1ZhZGlzIExpbWl0ZWQxHjAc

Blah Blah

JOVtnRpn3coVfSR/0rz0XKVXeZGnKztGdIMQhWMTxvZ1UpmRAH2Ab2QnVo1fkPVy
qNSJces5Y/VKpIvLBk5Jj55fvK8ME/9ASa+LtLrIms8iYHl75cupuYZZlg8=
-----END CERTIFICATE-----

Leaving just the Certificate and the Intermediate Certificate in the file.

Restart your web server and retest in SSLLABS.

2 comments

  1. Name

    It is a last CA certificate in the chain which signs server cert must be removed.
    If you remove Root CA certificate then you will end up with incomplete chain (B grade) on SSL labs test page.

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s