Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Export SSL certificate with Root CA and Intermediates chain (full chain)

Posted on 2014-12-03
3
Medium Priority
?
1,002 Views
Last Modified: 2014-12-08
We are trying to get an SSL certificate correctly working on an external service/security device where SSL terminates, which then sends traffic to the web servers here.

The certificate is a GoDaddy certificate. We have it working now where everything passes on the SSL test, except the Root CA is missing, so this is what we're trying to fix.

We haven't yet uploaded our SSL cert directly to the security device/service, it initially pulled the cert from the live web site somehow. But since the Root CA is missing we need to find a solution, the device does accept directly uploading certificate files in .pfx, .pem and .cer formats.

Would exporting the SSL cert from Windows as a .PFX, and enabling the option below include the Root CA, or only the Intermediaries? :

- Include all certificates in the certification path if possible



Last question, as possibly we can merge into one file all the certificates needed.. the security device accepts .PEM format so I'm wondering if taking the .PEM I have (used OpenSSL to export the .PFX to PEM) and then pasting into that .PEM file the root CA cipher code, and the Intermediate cipher code(s) -  and then uploading that one .PEM file do the trick? Or can a .PEM only have one certificate contained.  The .PEM I have has some header stuff before the ------BEGIN CERTIFICATE---- part.


Problem is this site is now live and in production, using this security device/service so I'm not going to have much time to play around as I will be disrupting the site once I start this troubleshooting. So hoping someone has some experience with these things so I can have some files ready to try and complete this as quickly as possible.


Thanks
0
Comment
Question by:Vas
3 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40478415
You can simply export the root and intermediate certificates in the chain and install on the device.  

Also if you include all certificates in the path in your export it should (however this does not always work )


I suggest exporting the root and intermediate then installing them.
0
 
LVL 1

Author Comment

by:Vas
ID: 40478445
The issue is I can only upload ONE file.   Are you saying it should work if I merged all the exported certs into one file?
0
 
LVL 84

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 40480011
GoDaddy and most other Certificate Authorities no longer give out keys from their root CA, but use issuing CA's that have the root ca cert installed. The root CA certificate is the gold to the kingdom. If it gets compromised then ALL certificates have to be revoked and re-issued (google Diginotar as the CA that was compromised and went bankrupt the same day)

Most CA's have a full certificate path download (I use and recommend digicert) and had a very bad experience with Godaddy..hint don't ever revoke a cert from them use re-key instead
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
Resolving an irritating Remote Desktop connection that stops your saved credentials from being used.
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question