spent a whole day cursing and swearing
on a certificate error that I got using the webservices of one of our clients.
They installed a new certificate since their old one was going to expire in a
few days. No biggie I thought. My server will detect the new certificate,
install it and do its work as usual. Boy was I wrong.
navigating to their webservices using a browser, I immediately got the
certificate error. Again no problem I thought. I’ll just install the
certificate manually. Unfortunately, this did not solve the problem. So I went
online searching for a solution. Yet the steps other online articles took
weren’t very clear to get to the solution. Therefore I’m posting this tip.
I was given the error "Certificate not issued by a trusted Certificate Authority" and "Certificate cannot be trusted up to a certificate Authority" on a Windows Server 2008 R2.
What is a SSL “Secure socket layer” certificate?
Certificates are small data files that digitally bind a cryptographic key to an
organization’s details. When installed on a web server, it activates the
padlock and the https protocol (over port 443) and allows secure connections
from a web server to a browser.
How does a SSL Certificate work?
“Certification Authority” issues a certificate to a domain. It verifies the
domain because the (web)server that needs
a certificate generates a certificate request. The certificate is then
mailed by the CA to email@example.com
or firstname.lastname@example.org. This two layer verification prevents the
certificate from falling into the hands of a miscellaneous domain or user.
certificate holds a path within. This may sound strange but is actually quite
logical (took me a while to figure it out “I’m not that smart”) Anyone can
issue a certificate. But just because you
issue a certificate does not mean the certificate is valid. Only a
certificate issued by a valid CA is valid.
I can hear you thinking, who decides which CA
is valid and which ones are not?
would be you! You decide which CAs can be trusted to issue a certificate.
Microsoft automatically installs a few of these CAs on your computer as
trusted. There are only a few CAs that are commonly used like:
|CA || Market
CA Limited ||7.16 |
prevent you from trusting a certificate that is issued by a CA, the CA holds a
root certificate. There can also be additional certificated after that like,
extended validation cert, third party, etc. After all that is the actual domain certificate that is issued to the
holder / requester of the domain
certificate. So you can see the path now
- Any other certificates (can be more than one)
image below shows how this can be viewed on the webpage. Just click on the
little lock next to the URL. Then click view certificates and the below image will
can see, there are actually three certificates used to validate the website you
website you are visiting only (in this case) provides the 2028.globalsign.com certificate. The
other two certificates were already on your computer. This is how the
2028.globalsign.com certificate was validated by your computer.
What causes the error then?
Well, you should probably have figured out that you are missing one of the first
two certificates. Therefore, the domain certificate could not be verified. Giving
the error “Not issued by a trusted CA”.
How do I make the CA trusted then?
have to download the root certificate from the CA that issued the domain
certificate and install it. You will not be able to see that certificate on the
computer that gives the certificate error. Simply because it isn’t installed.
You’ll have to download it from the website that issued the domain certificate.
Just Google it: “download comodo root certificate”, ” download godaddy root
How do I install it?
you downloaded the certificate, double click on it. Then click Install
certificate. You will be prompted with a wizard raising the question where you
want to install it. Select the archive option.
Browse. If available, select the “Show physical archive selectionbox”. Then select
within the tree options: Trusted
Certification Authorities à local computer
Now that you have done this, we should check if
all the certificates are in the right place.
Start en type “
mmc”. A console application will start up. Within the console
application, do the following. Go to File -> Actions -> Add snap ins.
window will open. Select “Certificates”.
You will be given three options. Current User, Local computer and
applications. Select the Current user. Then perform the same action for Local
options, you will find a folder called “Trusted Certificate Authorities”. As we
did earlier, we installed the certificates on a local computer. That means it
should be available for users as well. Check this and if you’re missing a
certificate, copy and paste it in the User item or local computer item as needed.
browser and navigate to the website that was giving the certificate error. After
that, everything should work perfect. I hope it helps.