Azure website intermediate certificate not provided?
I have uploaded a PFX file into the Azure portal including the entire certificate path with all intermediate certificates (of which there are two). However, Azure fails to pass one of these to clients (browsers) so these fail to validate the certificate. Here's the certification path:
And here's the certificate as seen by a browser visiting my website:
As you can see, while the QuoVadis CSP - PKI Overheid CA - G2 certificate is provided, the path is incomplete since Staat der Nederlanden Organisatie CA - G2 is missing.
I'm sure the PFX isn't the problem, a simple certutil -dump shows the entire chain is there.
Does anyone know if I'm doing something wrong and if so, what?
I think that QuoVadis CSP intermediate cert is mis-configured. They are using a SSL address on their AIA extension. If they simply fix that to use HTTP instead, to point to the issuer CRL, then it should work for you.
The AIA setting they have pointing to this HTTPS address... if you browse to that path in the browser you'll see that the SSL cert on that address also uses the same cert chain and uses same QuoVadis CSP intermediate cert with same SSL url in the AIA extension, thus pointing to itself... possibly causing headaches for cert trust chain building logic not coded to protect against this AIA recursion.