|Applies To||Microsoft Internet Explorer 6.x|
Microsoft Internet Information Server (IIS)
Keon Certificate Authority
|Issue||Certificate appears as not trusted even if the root CA is trusted|
Error: "The security certificate was issued by a company you have not chosen to trust. View the certificate to determine whether you want to trust the certificate authority."
CA1 is signed by a Trusted Root CA in Internet Explorer. CA1 signs SSLServerCertificateA and SSLServerCertificateB
SSLServerCertificateA is installed on WebServerA
SSLServerCertificateB is installed on WebServerB
When reaching WebServerA, no security warning shows up. When looking at SSLServerCertificateA chain, the full certificate chain shows up and is valid.
When reaching WebServerB, the security warning DOES shows up. When looking at the SSLServerCertificate chain, the full chain does not show up.
SSLServerCertificateA and SSLServerCertificateB both have the same Issuer and AKI
|Cause||WebServerA has CA1 in the Intermediate Trusted CA. WebServerB does not have CA1 in the Intermediate Trusted CA, which is why the certificate chain is broken.|
|Resolution||Given the above example, WebServerB must have CA1 in the Intermediate Trusted CA store so it can present the full chain to the client.|
You must install the entire CA certificate chain in your web server's Trusted CA store. Follow your web server's guide on how to install CA certificates.
|Legacy Article ID||a30666|