I am very new to the world of server and networking, I hope the questions is clear and won't be so trivial. I recently came across the following scenario:
There was a Root cert A, which is going to expire a few months later. There was another new Root cert B, which intended to be replacement of A. Both A & B are self-signed. The CA of A is trusted by old and new browsers / OS, while the CA of B is only trusted by modern browers / OS
There was a cross certificate A->B (B signed by A) which is currently using in our servers. However as A is going to expire soon, we applied another cross certificate C->B (B signed by C, which CA of C is trusted by both old and new browsers / OS) as a replacement.
Now, in UAT environment, we update the cert C->B, and for client side I try to use some legacy browsers for testing, I verified only CA of A and CA of C are trusted, while CA of B is not. For PROD environment, we remain unchange i.e. using the cert A->B
I access UAT site with the browser mentioned, and verified the certificate used is A->B, for the first time. Surprisingly, for subsequent access to both UAT and PROD sites, the certificate used is C->B (checked in client side).
My question is, is this normal behavior? Why client side "knows" to use C->B since the first access of UAT sites? I also use openssl s_client to verify the PROD server is still using A->B. How does browsers know which cert to use and "update" the cert accordingly?
Edited on 2022-Dec-13
- Our main purpose is that to support both very old browsers / OS and modern browsers / OS. i.e. All browsers can access our site successfully even after cert A is expired.
- I think my main question, or doubt, is that if the following is true:
- Old browsers, for the first time accessing UAT site, it shows that the server is using cert A->B due to some caching mechanism
- After 1st access to the UAT site, server actually "push" the new cert C->B to client side which is configured in the server. Now, browsers, or even OS level acknowledged that the latest cert is C->B, not A->B anymore.
- Although C->B is acknowledged, the cert A->B is still saved in the browser / OS. But the browser somehow knows to verify with the newer cert C->B. Meaning our purpose can be acheived.
답변1
Does this answer your question?
From the link, clearing the browser cache/SSL state might be what you need to do:
Web browsers cache SSL certificates to speed up the browsing experience. Normally, this is not a problem. However, when you are developing pages for your web site or installing a new certificate, the browser's SSL state can get in the way. For example, you might not see the padlock icon in the browser's address bar after you install a new SSL certificate.