When a client (e.g., a Chrome browser) accesses an HTTPS server, the server presents a certificate to establish a secure connection. The client must validate the certificate to trust the server. The certificate in this scenario has the following properties:
Subject name: myhost.example.com
SAN (Subject Alternative Name): DNS: myhost.example.com; DNS: myhost1.example.com
Extended Key Usage (EKU): Server authentication
Issuer: MyCA_Signing (an intermediate CA)
The server also sends an intermediate CA certificate for MyCA_Signing, signed by MyCA (the root CA).
The client’s Trusted CA Certificate list does not include MyCA or MyCA_Signing.
Certificate Validation Process:
Name Validation: The client checks if the server’s hostname (myhost1.example.com) matches the Subject name or a SAN in the certificate. Here, the SAN includes "myhost1.example.com," so the name validation passes.
EKU Validation: The client verifies that the certificate’s EKU includes "Server authentication," which is required for HTTPS. The EKU is correctly set to "Server authentication," so this validation passes.
Chain of Trust Validation: The client builds a certificate chain from the server’s certificate to a trusted root CA in its Trusted CA Certificate list. The chain is:
Server certificate (issued by MyCA_Signing)
Intermediate CA certificate (MyCA_Signing, issued by MyCA)
Root CA certificate (MyCA, which should be in the client’s trust store) The client’s Trusted CA Certificate list does not include MyCA or MyCA_Signing, meaning the client cannot build a chain to a trusted root CA. This causes the validation to fail.
Option A, "The client does not have the correct trusted CA certificates," is correct. The client’s trust store must include the root CA (MyCA) to trust the certificate chain. Since MyCA is not in the client’s Trusted CA Certificate list, the client cannot validate the chain, and the certificate is not trusted.
Option B, "The certificate lacks a valid SAN," is incorrect. The SAN includes "myhost1.example.com," which matches the server’s hostname, so the SAN is valid.
Option C, "The certificate lacks the correct EKU," is incorrect. The EKU is set to "Server authentication," which is appropriate for HTTPS.
Option D, "The certificate lacks a valid SAN, and the client does not have the correct trusted CA certificates," is incorrect because the SAN is valid, as explained above. The only issue is the missing trusted CA certificates.
The HPE Aruba Networking AOS-CX 10.12 Security Guide states:
"For a client to trust a server’s certificate during HTTPS communication, the client must validate the certificate chain to a trusted root CA in its trust store. If the root CA (e.g., MyCA) or intermediate CA (e.g., MyCA_Signing) is not in the client’s Trusted CA Certificate list, the chain of trust cannot be established, and the client will reject the certificate. The Subject Alternative Name (SAN) must include the server’s hostname, and the Extended Key Usage (EKU) must include ‘Server authentication’ for HTTPS." (Page 205, Certificate Validation Section)
Additionally, the HPE Aruba Networking Security Fundamentals Guide notes:
"A common reason for certificate validation failure is the absence of the root CA certificate in the client’s trust store. For example, if a server’s certificate is issued by an intermediate CA (e.g., MyCA_Signing) that chains to a root CA (e.g., MyCA), the client must have the root CA certificate in its Trusted CA Certificate list to trust the chain." (Page 45, Certificate Trust Issues Section)
[References:, HPE Aruba Networking AOS-CX 10.12 Security Guide, Certificate Validation Section, Page 205., HPE Aruba Networking Security Fundamentals Guide, Certificate Trust Issues Section, Page 45.===========]
