Certificate scan results update

While the grades you see on ShadowTrackr are based on the SSL Labs scoring guide and should be the same, we have discovered a minor difference. When you have an incomplete chain of trust, SSL Labs will show it but still happily hand out an A or even A+. On ShadowTrackr you will receive a T, because and incomplete chain of trust is a Trust issue.

Out of the thousands of certificates we scan, we have only seen this difference on two certificates. On one of them, SSL Labs claimed only Java had an incomplete chain. Our scan showed that Java and Apple had an incomplete chain of trust. All tough the certificate was accepted by Safari on a Macbook, OpenSSL verification on the terminal on that same macbook did show a certificate problem.

If this happens to you, make sure you have the complete certificate bundle including the intermediate certificates installed on your server. The order of the certificates is important too. If this still fails to produce a complete chain of trust, get a certificate signed by a different root CA and try again.

The certificate scan script had been updated, and a bug in the detection of the certificate serial number has been fixed.