000022846 - Certificate appears as not trusted even if the root CA is trusted

Document created by RSA Customer Support Employee on Jun 15, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000022846
Applies ToMicrosoft Internet Explorer 6.x
Microsoft Internet Information Server (IIS)
Keon Certificate Authority
IssueCertificate appears as not trusted even if the root CA is trusted
Error: "The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certificate authority."
CA1 is signed by a Trusted Root CA in Internet Explorer. CA1 signs SSLServerCertificateA and SSLServerCertificateB
SSLServerCertificateA is installed on WebServerA
SSLServerCertificateB is installed on WebServerB

When reaching WebServerA, no security warning shows up. When looking at SSLServerCertificateA chain, the full certificate chain shows up and is valid.
When reaching WebServerB, the security warning DOES shows up. When looking at the SSLServerCertificate chain, the full chain does not show up.

SSLServerCertificateA and SSLServerCertificateB both have the same Issuer and AKI
CauseWebServerA has CA1 in the Intermediate Trusted CA. WebServerB does not have CA1 in the Intermediate Trusted CA, which is why the certificate chain is broken.
ResolutionGiven the above example, WebServerB must have CA1 in the Intermediate Trusted CA store so it can present the full chain to the client.

You must install the entire CA certificate chain in your web server's Trusted CA store. Follow your web server's guide on how to install CA certificates.
Legacy Article IDa30666

Attachments

    Outcomes