When a client (e.g., a Chrome browser) accesses an HTTPS server, the server presents a certificate to

establish a secure connection. The client must validate the certificate to trust the server. The

certificate in this scenario has the following properties:

Subject name: myhost.example.com

SAN (Subject Alternative Name): DNS: myhost.example.com; DNS: myhost1.example.com

Extended Key Usage (EKU): Server authentication

Issuer: MyCA_Signing (an intermediate CA)

The server also sends an intermediate CA certificate for MyCA_Signing, signed by MyCA (the root

CA).

The client’s Trusted CA Certificate list does not include MyCA or MyCA_Signing.

Certificate Validation Process:

Name Validation: The client checks if the server’s hostname (myhost1.example.com) matches the

Subject name or a SAN in the certificate. Here, the SAN includes "myhost1.example.com," so the

name validation passes.

EKU Validation: The client verifies that the certificate’s EKU includes "Server authentication," which is

required for HTTPS. The EKU is correctly set to "Server authentication," so this validation passes.

Chain of Trust Validation: The client builds a certificate chain from the server’s certificate to a trusted

root CA in its Trusted CA Certificate list. The chain is:

Server certificate (issued by MyCA_Signing)

Intermediate CA certificate (MyCA_Signing, issued by MyCA)

Root CA certificate (MyCA, which should be in the client’s trust store) The client’s Trusted CA

Certificate list does not include MyCA or MyCA_Signing, meaning the client cannot build a chain to a

trusted root CA. This causes the validation to fail.

Option A, "The client does not have the correct trusted CA certificates," is correct. The client’s trust

store must include the root CA (MyCA) to trust the certificate chain. Since MyCA is not in the client’s

Trusted CA Certificate list, the client cannot validate the chain, and the certificate is not trusted.

Option B, "The certificate lacks a valid SAN," is incorrect. The SAN includes "myhost1.example.com,"

which matches the server’s hostname, so the SAN is valid.

Option C, "The certificate lacks the correct EKU," is incorrect. The EKU is set to "Server

authentication," which is appropriate for HTTPS.

Option D, "The certificate lacks a valid SAN, and the client does not have the correct trusted CA

certificates," is incorrect because the SAN is valid, as explained above. The only issue is the missing

trusted CA certificates.

The HPE Aruba Networking AOS-CX 10.12 Security Guide states:

"For a client to trust a server’s certificate during HTTPS communication, the client must validate the

certificate chain to a trusted root CA in its trust store. If the root CA (e.g., MyCA) or intermediate CA

(e.g., MyCA_Signing) is not in the client’s Trusted CA Certificate list, the chain of trust cannot be

established, and the client will reject the certificate. The Subject Alternative Name (SAN) must

include the server’s hostname, and the Extended Key Usage (EKU) must include ‘Server

authentication’ for HTTPS." (Page 205, Certificate Validation Section)

Additionally, the HPE Aruba Networking Security Fundamentals Guide notes:

"A common reason for certificate validation failure is the absence of the root CA certificate in the

client’s trust store. For example, if a server’s certificate is issued by an intermediate CA (e.g.,

MyCA_Signing) that chains to a root CA (e.g., MyCA), the client must have the root CA certificate in

its Trusted CA Certificate list to trust the chain." (Page 45, Certificate Trust Issues Section)

:

HPE Aruba Networking AOS-CX 10.12 Security Guide, Certificate Validation Section, Page 205.

HPE Aruba Networking Security Fundamentals Guide, Certificate Trust Issues Section, Page 45.

===========