Information Resources
The University of Texas at Dallas
 
Information Security Office Logo

Office Hours
  M-F 8am-Noon, 1pm-5pm
ISO Main #'s
Phone: 972-883-6880
Fax: 972-883-6865
Physical Location:
Jonsson Bldg. (JO)
3.540 - 3.552
Mail Station: JO43
Directions to UT Dallas

Digital Certificates: How to Install Intermediate Server Certificate (Certificate Chaining)


When you install an SSL cert on a server, you also need to install the Verisign intermediate CA cert.

A copy of the Verisign intermediate CA cert may be found here.

Notes:
  • This cert *must* reside on the file system of the server that “owns” the SSL cert and it *must* be referenced in the configuration file for that webserver.
  • Instructions for installing the cert on the webserver application (e.g. IIS 5.0, Apache, Tomcat, Weblogic, etc.) that you are running may be found here
  • You *must* create a snap-in for Local Computer (if you do not already have one).
  • You *must* follow the instructions precisely in order for the installation of the cert on a server to solve local client problems resolving the trust chain.
  • Also there would be no problems removing the older Intermediate CA certs, even though IIS/MS gives you an ominous warning about breaking trust and being unable to resolve certs in the future. However, it is not a requirement to remove the older, expired Intermediate CA certs.

Problem with Server Certs April 24, 2008

Recently a problem with SSL certs has come to light. This problem only manifests itself with new, recently issued, certs.

The problem is related to the improper installation of the cert on the server in question and to the issue of cert chaining, recently discussed in an email to utd tech. Now that root certs are going offline and cannot be checked, it is a requirement that, when you install an SSL cert on a server, you also install the Verisign intermediate CA cert.

This Verisign knowledgebase article covers the issue Here

Anyone who has renewed or enrolled for a new SSL cert in the past 90 days should follow these instructions to ensure that clients do not generate errors when visiting their websites.

Further investigation has significantly muddied the waters. Here's what we *think* we know now.
  1. Importing the Verisign Intermediate CA cert into IIS appears to have no effect on the browsers that are producing errors. It also appears to have no operational effect on the server, so you can feel comfortable proceeding with that process. However, there is no need to restart the web server after importing. It will get restarted the next time you reboot after patching.
  2. IE already has the cert in its Intermediate Authorities store. This is why it does not produce an error. (Note that this is not true if your computer is missing patches - particularly SP2.)
  3. Some versions of unix (e.g. FreeBSD) do not exhibit the problem. Others (e.g. Solaris, Ubuntu) do.
  4. The problem can be solved by importing the cert into your browser. We will be putting up a web page explaining how to do that and providing a downloadable copy of the cert.
  5. We're not sure what impact this will have in September, when certificate chaining is no longer optional. We're working with Verisign to get answers to the questions we still have. We'll keep you posted as we know more definitively.

This area here left blank