Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Export SSL certificate with Root CA and Intermediates chain (full chain)

Posted on 2014-12-03
3
Medium Priority
?
859 Views
Last Modified: 2014-12-08
We are trying to get an SSL certificate correctly working on an external service/security device where SSL terminates, which then sends traffic to the web servers here.

The certificate is a GoDaddy certificate. We have it working now where everything passes on the SSL test, except the Root CA is missing, so this is what we're trying to fix.

We haven't yet uploaded our SSL cert directly to the security device/service, it initially pulled the cert from the live web site somehow. But since the Root CA is missing we need to find a solution, the device does accept directly uploading certificate files in .pfx, .pem and .cer formats.

Would exporting the SSL cert from Windows as a .PFX, and enabling the option below include the Root CA, or only the Intermediaries? :

- Include all certificates in the certification path if possible



Last question, as possibly we can merge into one file all the certificates needed.. the security device accepts .PEM format so I'm wondering if taking the .PEM I have (used OpenSSL to export the .PFX to PEM) and then pasting into that .PEM file the root CA cipher code, and the Intermediate cipher code(s) -  and then uploading that one .PEM file do the trick? Or can a .PEM only have one certificate contained.  The .PEM I have has some header stuff before the ------BEGIN CERTIFICATE---- part.


Problem is this site is now live and in production, using this security device/service so I'm not going to have much time to play around as I will be disrupting the site once I start this troubleshooting. So hoping someone has some experience with these things so I can have some files ready to try and complete this as quickly as possible.


Thanks
0
Comment
Question by:Vas
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 29

Expert Comment

by:becraig
ID: 40478415
You can simply export the root and intermediate certificates in the chain and install on the device.  

Also if you include all certificates in the path in your export it should (however this does not always work )


I suggest exporting the root and intermediate then installing them.
0
 
LVL 1

Author Comment

by:Vas
ID: 40478445
The issue is I can only upload ONE file.   Are you saying it should work if I merged all the exported certs into one file?
0
 
LVL 83

Accepted Solution

by:
David Johnson, CD, MVP earned 2000 total points
ID: 40480011
GoDaddy and most other Certificate Authorities no longer give out keys from their root CA, but use issuing CA's that have the root ca cert installed. The root CA certificate is the gold to the kingdom. If it gets compromised then ALL certificates have to be revoked and re-issued (google Diginotar as the CA that was compromised and went bankrupt the same day)

Most CA's have a full certificate path download (I use and recommend digicert) and had a very bad experience with Godaddy..hint don't ever revoke a cert from them use re-key instead
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the process of installing of Data Protection Manager on a server running Windows Server 2012 R2, including the prerequisites. Microsoft .Net 3.5 is required. To install this feature, go to Server Manager…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question