2 web servers, inbound decryption for both, one working and other does not and are using same wildcard cert. Bold are the only differences I see between 2. I don't know why working server without decryption shows the root instead of intermediate SHA2 certificate or vice a versa. However if i see the cert in browser it looks the same for both servers. Also not sure why the signature type is different and also not sure if that can be controlled in Apache config. Traffic to both is from same test client. --------------------------------------------- Server A without Decryption PS C:\Users\whoami\Downloads\New folder (7)\openssl-1.1.1k-win64> .\openssl.exe s_client -connect webpac.test.ca:443 -brief depth=2 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA verify error:num=19:self signed certificate in certificate chain CONNECTION ESTABLISHED Protocol version: TLSv1.2 Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 Peer certificate: C = CA, O = TEST, OU = IT, CN = *.test.ca Hash used: SHA256 Signature type: RSA Verification error: self signed certificate in certificate chain Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2 Server Temp Key: ECDH, P-256, 256 bits Server A with Decryption depth=0 C = CA, O = TEST, OU = IT, CN = *.test.ca verify error:num=20:unable to get local issuer certificate depth=0 C = CA, O = TEST, OU = IT, CN = *.test.ca verify error:num=21:unable to verify the first certificate CONNECTION ESTABLISHED Protocol version: TLSv1.2 Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 Peer certificate: C = CA, O = TEST, OU = IT, CN = *.test.ca Hash used: SHA256 Signature type: RSA Verification error: unable to verify the first certificate Server Temp Key: ECDH, P-256, 256 bits Server B without decryption depth=1 C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert SHA2 High Assurance Server CA verify error:num=20:unable to get local issuer certificate CONNECTION ESTABLISHED Protocol version: TLSv1.2 Ciphersuite: ECDHE-RSA-AES256-GCM-SHA384 Peer certificate: C = CA, O = TEST, OU = IT, CN = *.test.ca Hash used: SHA256 Signature type: RSA-PSS Verification error: unable to get local issuer certificate Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2 Server Temp Key: ECDH, P-256, 256 bits Server B with decryption Server B with decryption 30632:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:ssl\record\rec_layer_s3.c:1544:SSL alert number 40
... View more