Incomplete certificate chain detected on Windows servers

Incomplete certificate chain on Windows servers

Windows server users may encounter an “untrusted connection” error when accessing their websites, even after importing a PKCS#7 certificate with the full chain. This issue is more prevalent on mobile devices than desktops, particularly with Comodo certificates.

When inspecting the certificate installation using an online checker, you may notice that only one intermediate certificate is returned.

To comprehend the root of the issue and how to resolve it, it’s essential to understand how Windows servers interact with SSL certificates. Firstly, note that Windows servers do not transmit root certificates during the SSL handshake and construct certificate chains by selecting the shortest available route.

Let us investigate this issue using the example of a Comodo PositiveSSL certificate. PositiveSSL (and other Comodo certificates) has two variants of CA chain. One ends up with SHA-1 root certificate and the other is completed by a newer SHA-2 root, which is not included in trusted stores of most mobile devices and might be missing in old versions of desktop browsers.

Newer versions of Windows servers contain both AddTrust External CA Root (SHA-1 root) certificates and Comodo RSA Certification Authority (SHA-2 root). As you see from the screenshot above, the chain that ends up with SHA-2 root is shorter. Therefore, the server will prefer the chain file that ends up with Comodo RSA Certification Authority. Taking into account that the root certificate is not sent by the server gives us the end-entity certificate with one intermediate submitted to client and possible security warnings about the certificate being untrusted.

In order to overcome the issue, you’ll need to disable the usage of the root certificate that prevents building a proper certificate chain. Follow the steps below:

ជំហានទី 1

ចុច Win + Rវាយបញ្ចូល mmc ។ ហើយចុច OK to open Microsoft Management Console. Make sure that you are logged in as administrator.

ជំហានទី 2

ចុចលើ ឯកសារ និងជ្រើសរើស បន្ថែម/លុប Snap-in ជម្រើស។

ជំហានទី 3

ជ្រើសប៊ូតុង វិញ្ញាបនប័ត្រ ហើយចុច បន្ថែម.

ជំហានទី 4

ជ្រើស Computer account, ហើយ​បន្ទាប់​មក បន្ទាប់.

ជំហានទី 5

ជ្រើសប៊ូតុង Local Computer ប៊ូតុងមូលហើយចុច បញ្ចប់.

ជំហានទី 6

ចុច OK ដើម្បីអនុវត្តការផ្លាស់ប្តូរ។

This will open a certificate manager, where you will be able to see the certificates added to the trusted stores (root and intermediate certificates that are integrated to a Windows server).

ជំហានទី 7

ពង្រីក អាជ្ញាធរផ្តល់វិញ្ញាបនប័ត្រឫសគល់ដែលទុកចិត្ត store and click on the វិញ្ញាបនប័ត្រ folder. You will see all root certificates imported to your server here. The certificate we are interested in will be also here.

ជំហានទី 8

Right-click on the required certificate and click on លក្ខណៈសម្បត្តិ.

ជំហានទី 9

Put the radio-button on Disable all purposes for this certificateរួចចុចលើ អនុវត្ត និង OK. The changes should be implemented instantly.

ចំណាំ: Alternatively, you can delete the certificate from the store, however, there is a chance it will appear again after the Windows server restart.

This should resolve the issue with the certificate chain returned by the Windows server and remove all the warnings in browser.