Articles in Root

Why Do Some 'SSL Checkers' Display Different Results?

Solution

Many CAs and vendors include an online application that allows you to check the successful installation and chaining of an SSL certificate.  These applications are sometimes referred to as an "SSL Checker", "SSL Verify Tool" or something similar.

Many of these applications operate using a command within OpenSSL and reformat the information gathered from this command so that it is easy to read.

Sometimes, the results may differ between different 'SSL Checkers' that are offered between different CAs and vendors.  One 'SSL Checker' may say that a particular SSL Certificate is 'untrusted' whereas another 'SSL Checker' shows the same certificate chaining up perfectly and installed without any errors.

This error between 'SSL Checkers' occurs because of the differences in the Root certificate store of the 'SSL Checker' webserver and the website that is being checked.
An 'SSL Checker' first obtains all of the certificates that a website is offering.  This collection of certificates usually includes the end entity certificate, any Intermediate certificates involved and the Root certificate. Once the 'SSL Checker' has these certificates, it then compares the Root certificate of the chain from the website to the Root certificates that are in the webserver's Root certificate store of the 'SSL Checker'.

If the 'SSL Checker' webserver trusts the Root certificate that the website is offering, it will successfully chain with no errors.  If the 'SSL Checker' webserver does not trust the Root certificate that the website is offering, then the chain will fail and the 'SSL Checker' application will reflect its findings.

How do I know which 'SSL Checker' to trust?

When dealing with certificates, a general rule of thumb for selecting the right 'SSL Checker' is to stick with the 'SSL Checker' application that is provided by the CA that you purchased your certificate from.  If your CA does not provide an 'SSL Checker' application, then try to find one that automatically updates its Root certificate store to either Microsoft or Mozilla (Firefox) standards.