SSL Certificate chain not sent when signed by one or more Intermediate CAs

[Jamtastic808]

I am setting up SSL on my Kestrel Linux server using .NET Core 2.1.1.

The SSL certificate is signed by an intermediate CA.

The SSL certificate contains intermediate and root CA.

I load the pfx file as a X509Certificate2 object and use this for the server certificate.

It seems to be that the way I have set this up, the intermediate CA is not sent as part of the handshake and only the leaf is sent.

return WebHost.CreateDefaultBuilder(args)
            .UseStartup<Startup>()
            .UseKestrel(options =>
            {
                options.Listen(IPAddress.Any,443, listenOptions =>
                {

                    listenOptions.UseHttps("ssl.pfx", "password123");

                });
            }
            )
        .Build();

So I execute this command and it shows only the leaf but not the intermediate:

openssl s_client -showcerts -connect myserver:443

I expect it to include the intermediate ca and leaf as one would expect like this for example:

openssl s_client -showcerts -connect google.com:443

[Daniel15]

This is the wrong place for support. This repo is only for announcements that have a broad audience (ie. everyone using the framework). You probably want to ask in another repo (eg. https://github.com/aspnet/AspNetCore), on Gitter, or on Stack Overflow 😃

[tidusjar]

Would be nice if GitHub only let the maintainers/org members open issues.

[Daniel15]

I don't think GitHub ever thought people would use issues like a blog, so they likely didn't consider this as a requirement 😛

[Jamtastic808]

Oops, sorry.
Please delete

[blowdart]

No no, it got moved to potentially the right place now :)

[scott-a-allard]

I came across this same issue last week. I found that if the host operating system (Debian in this case) didn't have explicit trust in the intermediate cert itself, kestrel would not send the intermediate cert to the client. When I added the intermediate cert directly into the ca trust, it would send. Having the root certificate alone was not enough.

this is unusual behavior; i would guess that it's a bug.

[analogrelay]

We don't really control X509Certificate2's behavior here. It looks like it's only loading one of the certs which means Kestrel can only send one of the certs (the leaf, I presume). This bug is probably better filed in dotnet/corefx.