Fixing the Issue of Missing Certificate Chain in Internal IIS Server
Yesterday, I deployed the IIS service on my private server and encountered an issue while adding HTTPS. The issue was related to missing one or more intermediate certificates in the certificate chain. Normally, this can be resolved by updating the certificate chain through Windows update on a computer that has internet access. However, my server is not connected to the internet for certain reasons. So, I decided to try resolving this issue myself.(English version Translated by GPT-3.5, 返回中文)
Reproduction
After installing the certificate on IIS and assigning it a “Good Name”, I received the following prompt:
Checking the Certificate Status
First, we need to go to the IIS Manager, select a server on the left side, and find “Server Certificates” on the right side:
Then, locate the imported certificate and double-click or right-click to view it:
You can see that the certificate is missing the issuer, which means it lacks the root certificate.
A complete certificate chain consists of a root certificate (usually with a long validity period), followed by intermediate certificates issued by the root certificate (which have shorter validity periods but are still quite long), and finally the certificate for HTTPS that is issued by the intermediate certificate. A complete certificate should include all of these.
Take Baidu’s certificate as an example. You can see that it is signed by the root certificate “GlobalSign Root CA - R1” and issued to “GlobalSign Organization Validation CA - SHA256 - G2”. Finally, the certificate for “baidu.com” is issued by the intermediate certificate. On a computer, the certificate will only be considered valid and trusted if it can find the first two certificates in its certificate store and these certificates are present.
Now, the problem is to re-import the root and intermediate certificates in my certificate chain and make the system trust them.
Checking the Certificate Chain
A complete certificate chain includes the root certificate, intermediate certificates, and the website’s certificate. You can deploy the certificate to an nginx server accessible on the public internet and then access the website to see the complete certificate chain in the browser, like this:
You can also use a website called MySSL.com - SSL Security Assessment Report to view your own certificate chain (and also evaluate your website’s SSL rating, which is a very useful website):
Downloading Certificates
Open the MMC Console Root Node
Open the following:
1 | 开始 - 运行 - 输入 mmc打开控制台根节点 |
Then select:
1 | 左上角文件 - 添加管理单元 |
In the popup window, select:
1 | 证书,并选择中间的→箭头 |
In the next popup window, select:
1 | 计算机根证书 - 本地计算机 |
You will see the following screen:
Verify that the Certificate is Missing
Check if the “Trusted Root Certification Authorities - Certificates” is missing the root certificate from the certificate chain, and if the “Intermediate Certification Authorities - Certificates” is indeed missing the intermediate certificate mentioned above. As shown in the following screenshot, you can see that the intermediate certificate authority is indeed missing the certificate for “Encryption Everywhere DV TLS CA - G1”:
Download Certificates from the Official Website
Usually, you can download trusted root certificates and intermediate certificates from the official website. From the certificate chain above, I need to download the following root certificate and intermediate certificate:
1 | 根证书:DigiCert Global Root CA |
Most official websites provide download links for the corresponding root certificates. After some searching, I found that the root certificate mentioned above can be downloaded from DigiCert Trusted Root Authority Certificates.
By matching the certificate names and finding the two root certificates, download them to your local machine. Let’s assume the root certificate name is “root.pem” and the intermediate certificate is “middle.pem”.
Or… you can directly download the complete certificate chain from MySSL.
The downloaded certificate chain has the following format:
1 | -----BEGIN CERTIFICATE----- |
The first part “—–BEGIN CERTIFICATE—–” is the intermediate certificate, and the second part is the root certificate. Save them separately in “middle.pem” and “root.pem”.
1 | 下面的内容单独保存到 middle.pem |
Importing Certificates
Now that we have the certificates ready, let’s import them.
In the MMC Console Root Node, go to:
1 | 受信任的根证书颁发机构 - 证书 |
Right-click and select:
1 | 所有任务 - 导入 |
Select “DigiCertGlobalRootCA” (which is the root.pem file) and click Next. Store the certificate in the Trusted Root Certification Authorities (click Next, leaving the default options).
Then, using the same method, go to the left side and navigate to:
1 | 中间证书颁发机构中,进行右键 - 所有任务 - 导入 |
Follow the import method above to import “middle.pem”. That’s it!
Go back to IIS and Check the Certificate Chain
Finally, go back to the “Server Certificates” in IIS, and check the certificate path. You will see that the certificate is now valid and complete. And that’s it!