Prior to Installing a certificate why would viewing the Certificate Path be different on different computers?

Prior to installing (I plan to install it tomorrow night) I simply double clicked the Comodo certificate I purchased on both a Windows 2008 R2 Server (the server from which I created the CSR) and on my Windows 7 client computer.

Why do I see:

3 certs in the chain on Windows 7 ?
4 certs in the chain on Windows 2008 R2 ?

Thank you for your time in advance!
K BAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Usually that means there is a missing root certificate.
Ensure that the machines are getting the root certificate updates that Microsoft release periodically.

K BAuthor Commented:
I should have mentioned those certificates both say "this certificate is OK"
btanExec ConsultantCommented:
the right chain is 4 namely including the RootCA which is missing from the client Win7.
UserTrust / AddTrust External Root
COMODO RSA Certification Authority
COMODO RSA Extended Validation Secure Server CA
End-Entity/Domain Certificate
If we do not install all the certificates then we will receive a "not trusted error message" when going to the secure area of our web site.

In fact, in the Win7 cert chain shown it is issued by COMODO (as RootCA) instead UserTrust (which latter is Comodo reseller). I believe the former is currently RootCA inside IE default RootCA while the server do not have already that and is more of UserTrust CA for all issued cert now as above link shown. Server needs higher assurance and prev Comodo fraudulent saga may have spin off another "external" trust CA..

You can test to see if there is no trust error and you will know if the RootCA is in or validate via

For info - do note that depending on the type import, a .cer file contains: Root, Intermediates, and domain certificate; all rolled into one file (PKCS#7). And a .crt (end-entity/domain certificate) file, but Root and Intermediate(s) will need to be installed manually.
K BAuthor Commented:
could it be there is different chains on different operating systems even when both are fully patched?  At the root of each is a valid certificate... on 2008R2 it expires in 2020.. on Windows 7 yet another root cert expires at 2038... Perhaps the company abandons their old root cert in support of a newer more compatible root cert (in newer operating systems). thus not messing with what will soon be not supported?  OR...perhaps more plausible 2008R2 is not fully patched (won't have time to check with this client as new cert is installed as of tonight and won't be looking back for a week or so)?
btanExec ConsultantCommented:
I did saw in the Comodo forum on this that may help explain a bit
Comodo has been in Mozilla's Root CA program since before Phoenix/Firebird was renamed Firefox under both 'AddTrust' and 'UserTrust'. (Various different CA names) The one you link to is 'Comodo Certification Authority', which we use mostly as a Cross Signed Intermediate. It's safe to say all versions of Firefox support Comodo certificates issued via the 'AddTrust External CA Root', which 99.999% of our certs are.

The AddTrust External CA Root was added to the Microsoft Root CA program around the time Windows 7 hit the retail market, which was in October 2009. Both Windows 7 and Vista have automatic Root CA updates (but can be disabled by a SysAdmin) whereas NT 5.0 Family (2000, 2003, XP) all need to update via a file (rootupd.exe)

This is also what I am thinking there must be some changes and update for Root CA to keep them update to date. I will not be surprised if server system tends to have more stringent lockdown needs making sure certificate are up to date esp when breach happened to 3rd party cert provider. We can also check via the MMC (besides via IE browser) on the certificate store as well specific to both the personal and machine cert and root store to see if COMODO and/or USERTRUST are available. You may also know that the Root CA is common regardless of machine or user store as below
Be aware that all current user certificate stores inherit the contents of the local machine certificate stores. For example, if a certificate is added to the local machine Trusted Root Certification Authorities certificate store, all current user Trusted Root Certification Authorities certificate stores also contain the certificate.
... regardless, as long as these two different Root CA is valid (not revoked), trusted and not expired, I see no them still safe and trusted from the issued SSL cert for the web server and user browser per se. Otherwise there be warning prompt then it is more of to import into the machine as required.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.