Solved

Export SSL certificate with Root CA and Intermediates chain (full chain)

Posted on 2014-12-03
3
556 Views
Last Modified: 2014-12-08
We are trying to get an SSL certificate correctly working on an external service/security device where SSL terminates, which then sends traffic to the web servers here.

The certificate is a GoDaddy certificate. We have it working now where everything passes on the SSL test, except the Root CA is missing, so this is what we're trying to fix.

We haven't yet uploaded our SSL cert directly to the security device/service, it initially pulled the cert from the live web site somehow. But since the Root CA is missing we need to find a solution, the device does accept directly uploading certificate files in .pfx, .pem and .cer formats.

Would exporting the SSL cert from Windows as a .PFX, and enabling the option below include the Root CA, or only the Intermediaries? :

- Include all certificates in the certification path if possible



Last question, as possibly we can merge into one file all the certificates needed.. the security device accepts .PEM format so I'm wondering if taking the .PEM I have (used OpenSSL to export the .PFX to PEM) and then pasting into that .PEM file the root CA cipher code, and the Intermediate cipher code(s) -  and then uploading that one .PEM file do the trick? Or can a .PEM only have one certificate contained.  The .PEM I have has some header stuff before the ------BEGIN CERTIFICATE---- part.


Problem is this site is now live and in production, using this security device/service so I'm not going to have much time to play around as I will be disrupting the site once I start this troubleshooting. So hoping someone has some experience with these things so I can have some files ready to try and complete this as quickly as possible.


Thanks
0
Comment
Question by:Vas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40478415
You can simply export the root and intermediate certificates in the chain and install on the device.  

Also if you include all certificates in the path in your export it should (however this does not always work )


I suggest exporting the root and intermediate then installing them.
0
 
LVL 1

Author Comment

by:Vas
ID: 40478445
The issue is I can only upload ONE file.   Are you saying it should work if I merged all the exported certs into one file?
0
 
LVL 80

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40480011
GoDaddy and most other Certificate Authorities no longer give out keys from their root CA, but use issuing CA's that have the root ca cert installed. The root CA certificate is the gold to the kingdom. If it gets compromised then ALL certificates have to be revoked and re-issued (google Diginotar as the CA that was compromised and went bankrupt the same day)

Most CA's have a full certificate path download (I use and recommend digicert) and had a very bad experience with Godaddy..hint don't ever revoke a cert from them use re-key instead
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question