This guide explains how to correctly interpret the detailed information provided by Qualys SSL Labs (https://www.ssllabs.com/ssltest/) which can sometimes seem technical or alarming without the appropriate context.

Preamble

• Qualys SSL Labs is a widely used analysis tool to evaluate the SSL/TLS configuration of websites.
• The warnings in their reports are often just technical details with no impact on the site's security or SEO.

Multiple certificates in SSL Labs reports

When SSL Labs analyzes a site, it may display several numbered certificates (certificate #1, certificate #2, etc.). This happens for several reasons:

1. Main certificate (#1): The certificate presented when SNI (Server Name Indication) is used.
   • SNI is a TLS extension that allows a server to host multiple SSL certificates for different domains on the same IP address. When a browser connects, it indicates the domain name it wants to join.
2. Secondary certificate (#2): The certificate presented when SNI is not used or during a direct IP connection.

An indication "No SNI" in certificate #2 is not an error. It simply means that SSL Labs tested what happens when a client connects without providing SNI information. In this case:

• The server provides a fallback certificate (often a generic or preview certificate).
• This situation only concerns very outdated clients that do not support SNI.
• Modern browsers all use SNI and will therefore receive certificate #1.

Certificate chain issues

"Chain issues: Incorrect order, Extra certs, Contains anchor"

These warnings do not necessarily mean that the certificate is defective:

• Incorrect order: The intermediate certificates are not presented in the optimal order.
• Extra certs: Unnecessary additional certificates are included.
• Contains anchor: The root certificate is included in the chain.

The TLS protocol allows the root certificate to be omitted as it is normally already present in the browsers' certificate stores. Including it is not an error, but a redundancy.

“Alternative names mismatch”

For the backup certificate (#2), the "MISMATCH" warning is normal because:

• This certificate is designed for another domain (preview.infomaniak.website).
• It is only presented when SNI is not used.
• The browser receiving this certificate would identify it as not matching the requested domain, but this does not affect normal connections with SNI.

Regarding SEO concerns:

• Google and other search engines use modern browsers that support SNI.
• They receive certificate #1, which is valid for your domain.
• Warnings regarding certificate #2 do not impact SEO.
• Only issues with the primary certificate (#1) could affect SEO.

This configuration is perfectly suited for shared hosting where multiple sites share the same infrastructure, with a preview certificate serving as a fallback solution.