Solved

Export SSL certificate with Root CA and Intermediates chain (full chain)

Posted on 2014-12-03
3
469 Views
Last Modified: 2014-12-08
We are trying to get an SSL certificate correctly working on an external service/security device where SSL terminates, which then sends traffic to the web servers here.

The certificate is a GoDaddy certificate. We have it working now where everything passes on the SSL test, except the Root CA is missing, so this is what we're trying to fix.

We haven't yet uploaded our SSL cert directly to the security device/service, it initially pulled the cert from the live web site somehow. But since the Root CA is missing we need to find a solution, the device does accept directly uploading certificate files in .pfx, .pem and .cer formats.

Would exporting the SSL cert from Windows as a .PFX, and enabling the option below include the Root CA, or only the Intermediaries? :

- Include all certificates in the certification path if possible



Last question, as possibly we can merge into one file all the certificates needed.. the security device accepts .PEM format so I'm wondering if taking the .PEM I have (used OpenSSL to export the .PFX to PEM) and then pasting into that .PEM file the root CA cipher code, and the Intermediate cipher code(s) -  and then uploading that one .PEM file do the trick? Or can a .PEM only have one certificate contained.  The .PEM I have has some header stuff before the ------BEGIN CERTIFICATE---- part.


Problem is this site is now live and in production, using this security device/service so I'm not going to have much time to play around as I will be disrupting the site once I start this troubleshooting. So hoping someone has some experience with these things so I can have some files ready to try and complete this as quickly as possible.


Thanks
0
Comment
Question by:Vas
3 Comments
 
LVL 28

Expert Comment

by:becraig
ID: 40478415
You can simply export the root and intermediate certificates in the chain and install on the device.  

Also if you include all certificates in the path in your export it should (however this does not always work )


I suggest exporting the root and intermediate then installing them.
0
 
LVL 1

Author Comment

by:Vas
ID: 40478445
The issue is I can only upload ONE file.   Are you saying it should work if I merged all the exported certs into one file?
0
 
LVL 78

Accepted Solution

by:
David Johnson, CD, MVP earned 500 total points
ID: 40480011
GoDaddy and most other Certificate Authorities no longer give out keys from their root CA, but use issuing CA's that have the root ca cert installed. The root CA certificate is the gold to the kingdom. If it gets compromised then ALL certificates have to be revoked and re-issued (google Diginotar as the CA that was compromised and went bankrupt the same day)

Most CA's have a full certificate path download (I use and recommend digicert) and had a very bad experience with Godaddy..hint don't ever revoke a cert from them use re-key instead
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

I don't know if many of you have made the great mistake of using the Cisco Thin Client model with the management software VXC. If you have then you are probably more then familiar with the incredibly clunky interface, the numerous work arounds, and …
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now