Score:0

Why browsers know which certificate to use when there is multiple certificates?

cn flag

I am very new to the world of server and networking, I hope the questions is clear and won't be so trivial. I recently came across the following scenario:

  1. There was a Root cert A, which is going to expire a few months later. There was another new Root cert B, which intended to be replacement of A. Both A & B are self-signed. The CA of A is trusted by old and new browsers / OS, while the CA of B is only trusted by modern browers / OS

  2. There was a cross certificate A->B (B signed by A) which is currently using in our servers. However as A is going to expire soon, we applied another cross certificate C->B (B signed by C, which CA of C is trusted by both old and new browsers / OS) as a replacement.

  3. Now, in UAT environment, we update the cert C->B, and for client side I try to use some legacy browsers for testing, I verified only CA of A and CA of C are trusted, while CA of B is not. For PROD environment, we remain unchange i.e. using the cert A->B

  4. I access UAT site with the browser mentioned, and verified the certificate used is A->B, for the first time. Surprisingly, for subsequent access to both UAT and PROD sites, the certificate used is C->B (checked in client side).

My question is, is this normal behavior? Why client side "knows" to use C->B since the first access of UAT sites? I also use openssl s_client to verify the PROD server is still using A->B. How does browsers know which cert to use and "update" the cert accordingly?

Edited on 2022-Dec-13

  1. Our main purpose is that to support both very old browsers / OS and modern browsers / OS. i.e. All browsers can access our site successfully even after cert A is expired.
  2. I think my main question, or doubt, is that if the following is true:
  • Old browsers, for the first time accessing UAT site, it shows that the server is using cert A->B due to some caching mechanism
  • After 1st access to the UAT site, server actually "push" the new cert C->B to client side which is configured in the server. Now, browsers, or even OS level acknowledged that the latest cert is C->B, not A->B anymore.
  • Although C->B is acknowledged, the cert A->B is still saved in the browser / OS. But the browser somehow knows to verify with the newer cert C->B. Meaning our purpose can be acheived.
cn flag
If this is a Microsoft browser, it is actually a function of the operating system, not the browser.
Score:0
id flag

Does this answer your question?

From the link, clearing the browser cache/SSL state might be what you need to do:

Web browsers cache SSL certificates to speed up the browsing experience. Normally, this is not a problem. However, when you are developing pages for your web site or installing a new certificate, the browser's SSL state can get in the way. For example, you might not see the padlock icon in the browser's address bar after you install a new SSL certificate.

John Mahowald avatar
cn flag
Please edit your answer to provide context for the link. External links unfortunately are not permanent. Relevant parts should be quoted, such that your post provides the answer, with the link as reference and further reading. https://serverfault.com/help/how-to-answer
shole avatar
cn flag
It does help a bit but not exactly, thanks so much anyway. See if you may get a better understanding of my confusion after my latest editing
A. Trevelyan avatar
id flag
@shole based on your last update then it is working, right?
shole avatar
cn flag
@A.Trevelyan My question is more about the "Why", or as my last update: Is the following true? Seems I don't have an direct answer yet
A. Trevelyan avatar
id flag
@shole the steps as you've described in your last update seem logical, especially based on the info I originally linked. I would've expected that the old cert shouldn't even be showing anymore after updating though, since the cert was updated on the server - but I don't know how this update was performed or if the server still has access to the old cert why it would still show at all, so I can't say too much there. What I would do as a check is to use a new device, or clear all temporary internet files from a test device (so it has nothing cached), access the site, and see which cert you get.
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.