KB Article #73581

Obtain intermediate and root certificates for server certificate

Problem

If you do not know which intermediate and root certificate you need to make your HTTPS/FTPS/SSH certificate Valid and chained to a trusted root, please follow the below instructions


Resolution

To make your certificate appear as chained and trusted in the SecureTransport Application, you'll need to import it's intermediate and root certificates in the Trusted CAs section under Setup -> Certificates in the admin UI.

 

If you do not know which certificates the above two are, you may try using your windows workstation to determine that.

 

Please export the server certificate that you're trying to trust. To do this navigate to the Admin UI, click on the certificate alias, include the private key on the next page and save it on your hard drive.

 

Now locate it and double click on it. The windows certificate import wizard should get launched and assist you in importing the certificate into the widows keystore. Once the process is complete, open an instance of Internet explorer and navigate to Tools -> Internet options -> Content tab -> Certificates button.

 

Under "Personal" section you should see your certificate. Select it and hit the View button. In the dialog that opens, go to the Certification path tab and see if you're viewing the certificate chain.

 

If your certificate appears alone in the field, then your windows workstation also does not have the correct certificates in store so it cannot be used to obtain the chain of trust.

 

However in most cases they should be present - you should see your server certificate, it's intermediate and the root CA in a hierarchical order. Please select either the intermediate or root certificates and select the View Certificate button. A new dialog should open in which go to Details tab and then at the bottom select Copy to file. This should produce a .crt file in a destination of your choice. Close the new dialog and repeat the procedure for the other certificate.

 

Once you've gathered the two files, please navigate back to the Admin UI -> Setup -> Trusted CAs section and import the 2 files, one after the other.

 

As a result of the two imports your certificate should now say "Valid and chained to a trusted root" when you click on the alias in Local Certificates.