IIS 7 and Above
SSL Problem: IIS7 does not send all of the intermediate certificates...
Last post Sep 24, 2016 09:34 PM by Jazbit
May 16, 2014 05:51 AM|capuchin|LINK
Recently, I apply for a new SSL certificate for my IIS7 server. However, after I installed the new SSL certificate, the client starts to show the error message said that the SSL certificate in not trusted. I am sure the root certificate is already included
in the trusted root certificate list of the client side.
In the IIS server, the certificate chain looks like this:
Root CA Certificate --> Intermediate CA 1 Certificate --> Intermediate CA 2 Certificate --> SSL Certificate
However, I use a SSL test tool to check the SSL handshake, it reported that the IIS7 server only send the Intermediate CA 2 Certificate and SSL Certificate to the client side.
Is there a way to enforce the IIS7 server to send the Intermediate CA 1 Certificate to the client side too？
May 16, 2014 01:42 PM|terridonahue|LINK
Are all of the intermediate certificates installed on the IIS server? You can check that on
SSLShopper to ensure that one isn't missing. If you are missing one, you can install it from the CA that you purchased the certificate from and that will resolve the issue.
May 19, 2014 03:41 AM|capuchin|LINK
Yes, I am sure all of the intermediate certificates installed in the "LOCAL MACHINE" registry of the IIS server. On the IIS Server, if I double click to open the SSL certificate, I can see it link to the Root certificate. The certificate chain looked
I did check the SSL handshake with SSLShopper and
SSLLabs, but both these tools report thet my IIS7 server only send Intermediate CA 2 Certificate and SSL Certificate to the client side.
May 21, 2014 03:12 PM|terridonahue|LINK
If both of those sites are reporting that the intermediate certificate is missing, then that is the problem. You can use the provided links to download the missing intermediate chain to resolve the issue.
May 22, 2014 08:06 AM|capuchin|LINK
The IIS7 server has both intermediate certificates installed. The certificate chain is good at the server side. I just do know why the IIS7 server does not send both these intermediate certificates to the client side. It only send one of intermediate certificates
(the last one) to the client side. That is why the client side will complain that the certificate chain can not link to a trusted root certificate.
Jun 10, 2014 11:13 AM|terridonahue|LINK
I understand that you feel that all certificates are correctly installed, however, if the SSL checker utility is returning a broken certificate chain, the issue is that they aren't. You can get the full cert chain from the SSL issuer.
Jun 10, 2014 12:10 PM|StormInternet|LINK
It might be possible that you installed a incorrecy CA bundle, you can contact your SSL provider to get full SSL key files and compare it with the ones that you have installed
Jul 09, 2014 02:23 AM|Boyan Tabakov|LINK
I fought for a while with a similar issue and was quite frustrated. As it turned out the certificates were correctly installed (as your might be), but the problem stems from the rather insane "feature" that IIS decides which are the intermediate certificates
for your certificate chain "automatically". And it gets it wrong. In my case I have:
Root CA -> Intermediate CA1 -> Intermediate CA2 -> server certificate
For whatever reasons my Windows Azure server had tons of pre-installed CA certificates in its trusted store, including some, let's call it RootCA2. Now the issue was that Intermediate CA2 was signed also by RootCA2. So from the point of view of the Azure
server, the chain was:
RootCA2 -> Intermediate CA2 -> server certificate
... and as you might guess, IIS decided not to send Internediate CA1 at all in the certificate chain. Now, most real clients (modern browsers, devices, etc), didn't have the RootCA2 pre-installed (but do have the Root CA) and as a result got a broken chain.
Solution: check the chain that your server "sees" and remove the "bad" trusted CA certificate from it, so that it picks the full chain properly.
I had this issue with both Thawte SSL123 and a Comodo certificates on Azure.
Again, it seems like pretty poor design not to have configurable option on what certificate chain the IIS server should send.
Sep 25, 2014 01:01 PM|markhoward02|LINK
Could you provide more information about how you solved this problem?
I am running an Azure VM and am having this issue where SSLTools tells me the Certificate Chain is broken.
The certificate on the server does look like it is not using the correct Intermediate Certificates. It shows only 1 in the Path, when there should be 2.
I am using a Comodo Wildcard SSL Cert.
Thank you in advance.
Sep 26, 2014 05:33 PM|terridonahue|LINK
link should be able to assist you in verify the certificate chain.
Nov 29, 2014 06:42 AM|goths|LINK
I love you for what you shared. I spent several hours figuring this out, several website. Nothing helped except your post above.
Thanks. Thanks. Thanks.
The problem is that IIS has another interm certificate named "COMODO RSA Certification Authority" under "Trusted Root Certification Authorities". This one is with a different Thumbprint. The real "COMODO
RSA Certification Authority" which I wanted was already in "Intermediate Certifications Authorities" folder.
IIS picked the former one. So I deleted the former one and the certificate chain was now complete till the root.
Wish you the best for helping.
Aug 06, 2015 03:14 PM|anthonyb|LINK
Thank you both - this fixed the problem for me.
I had the exact same duplicate 'COMODO RSA Certification Authority' certificates, in the two EXACT SAME locations you described goths.
I checked the thumbprints and sure enough the one in 'Trusted Root Certification Authorities' had the wrong thumbprint. I disabled the certificate and boom! everything works.
I was ready to tear my hair out - some browsers, for some reason, worked just fine. As did some SSL checkers. Others (Safari OS X, networking4all SSL checker) continuously complained.
My eternal gratitude!
Sep 24, 2016 09:34 PM|Jazbit|LINK
Boyans solution works great but in my case I had to remove ALL certificates from the "trusted" store, that have "Comodo" in their names.
Described my experience in this