Several Gentoo webpages using a Digicert certificate seem to have an unneccessary cert in the chain. See here: https://www.ssllabs.com/ssltest/analyze.html?d=gentoo.org The server sends three chain certificates: DigiCert High Assurance EV Root CA DigiCert High Assurance CA-3 DigiCert SHA2 High Assurance Server CA The "DigiCert SHA2 High Assurance Server CA" is signing our certificate. The "DigiCert High Assurance EV Root CA" is a cross-signed Digicert root for old browsers not having the digicert root. (This should be replaced by a sha2-version, but that's an independent issue, I'll open another bug for that.) But the "DigiCert High Assurance CA-3" seems to have no meaning whatsoever. I think it can safely be removed.
(In reply to Hanno Boeck from comment #0) > Several Gentoo webpages using a Digicert certificate seem to have an > unneccessary cert in the chain. See here: > https://www.ssllabs.com/ssltest/analyze.html?d=gentoo.org Hooray for the qualys bug of the month. I think it's cute how people scan 'gentoo.org' and miss the about 40 other hosts, but anyway. > > The server sends three chain certificates: The server being www and forums yes, they did. wiki.gentoo.org which you included in your original summary on the other hand already had the new CA bundle at the time of your writing. > (This should be replaced by a > sha2-version, but that's an independent issue, I'll open another bug for > that.) We got the message that sha1 is phased out, and have already started updating the intermediates; so thanks, but you can skip filing that bug. So, to make that pesky warning go away, I pushed the remaining certs. (As always pending config management runs)