Intermediate Certificate Chain Errors

Using the DigiCert Certificate Management Utility to Fix Certificate Chain Errors

What Does an Intermediate Certificate Error Look Like?

There are a few different intermediate certificate errors that you can get with the DigiCert® SSL Installation Diagnostics Tool. First, the generic "The server is not sending all required intermediate certificates." You can also get a "Your server is sending too many intermediate certificates" error.

Luckily, you can repair both of these issues with the DigiCert® Certificate Utility for Windows.

Repairing Errors with the DigiCert Utility Tool
  1. To fix this error, run the DigiCert® Certificate Utility for Windows then click Repair Certificate.

    Bad SSL Certificate Installation

  2. This utility should only be run on a server. Click 'Yes' to perform the repair.

    Note: This utility could potentially cause SSL Certificate errors when browsing if this utility is run on a regular Windows computer.

    Yes, this is a server

  3. You will then see a message stating that youyour certificate has been successfully repaired. Click Ok.

    Certificate Repaired, Reboot Server

  4. After repairing your certificate you can choose to either reboot your server or force the server to clear the current certificate chain from memory and reload it. Then complete the reconfiguring section below.

Reconfigure the Certificate for your IIS Website or Exchange Domain

If after following the instructions below to reconfigure your software to use the certificate and/or rebooting your server you're still running into problems, please see the troubleshooting section below.

    For IIS 6 Servers
  1. Open the IIS manager (Right click on 'My Computer' and choose 'Manage').
  2. Under Services and Applications expand Internet Information Services, expand 'Web Sites' then right-click your website, and choose Properties.
  3. Then go to the Directory Security tab and click Server Certificate... then select Remove the Current Certificate then follow the wizard to remove the certificate. This will temporarily remove the certificate from being assigned to your website but the certificate will still remain on your server.
  4. Now click Server Certificate and go through the wizard and choose Assign an Existing Certificate and reselect the certificate that you just removed.
    You can verify that the certificate is now listed correctly by entering your website into the DigiCert Certificate Checker.
    For IIS 7 Servers
  1. Open IIS by going to Start > Administrative Tools > Internet Information Services Manager.
  2. Click your Server name, then in the Center window pane, scroll down to the icon 'Server Certificates' and double-click it.
  3. Under the Actions Pane on the right side, Under 'Edit Site' click Bindings.
  4. In the 'Site Bindings' select the https binding for the site and click Edit.... See what settings you have listed in the 'Type', 'IP address' and 'SSL Certificate' and click cancel.
  5. Click Remove.
  6. Click Add... then reselect the previous options you had listed for the https binding and click ok and close.
    You can verify that the certificate is now listed correctly by entering your certificate's common name or SAN into the DigiCert Certificate Checking Site.
    For IIS 8 Servers
  1. Open Internet Information Services (IIS) Manager.

    On the Start screen, type and click Internet Information Services (IIS) Manager.

  2. In Internet Information Services (IIS) Manager, under Connections, expand your server’s name, expand Sites, and then click the site or domain.

  3. In the Actions menu, under Edit Site, click Bindings.

  4. In the Site Bindings window, select the https binding for the site or domain, and then click Edit.

  5. In the Edit Site Binding window, take note of the following settings:

    • Type

    • IP address

    • Port

    • Host name (if using Server Name Indication)

    • Require Server Name Indication (if using Server Name Indication)

    • SSL certificate

  6. After recording the information, click Cancel.

  7. In the Site Bindings window, select the https binding for the site or domain and then, click Remove.

  8. Now click Add.

  9. In the Add Site Binding window, in the Type drop-down list, select https.

  10. Use the information that you collected before you removed the binding to repopulate the fields in the Add Site Binding window.

  11. To verify that the certificate is now listed correctly, enter your certificate's common name or SAN into the DigiCert Certificate Checking Site.

    For Exchange 2007 Servers
  1. Open the Exchange Management Shell by going to Start > Programs > Microsoft Exchange Server 2007 > Exchange Management Shell.
  2. Next run the command to enable your SSL certificate. You will need your thumbprint for this.
    To get your certificate's thumbprint, run the DigiCert utility, right-click your certificate file, and choose
    'Copy the thumbprint to the clipboard'.
  3. Re-enable your certificate by running the following command for the services you are currently securing:
    [PS] Enable-ExchangeCertificate -ThumbPrint paste_thumbprint -Services "SMTP, IMAP, POP, IIS" 
    Note: If you are prompted to overwrite the existing [Service] certificate, hit 'a' for all.
    You can now check the intermediate ceritifcate chain by enterning your domain name (e.g. mail.domain.com) into the DigiCert Certificate Tester.
    For Exchange 2010 Servers
  1. Open the Exchange Management Console by going to Start > Programs > Microsoft Exchange 2010 > Exchange Management Console.
  2. Click on 'Manage Databases' then click 'Server Configuration'.
  3. In the middle window pane in the Exchange Certificates section, click on your SSL Certificate Issued by DigiCert (If you have multiple certificates and forgot which one it is, right-click a certificate, and click Open, this should show the certificate is issued by DigiCert High Assurance EV Root CA).
  4. Next click the link 'Assign Services to certificate...' see which services you have enabled, and remember them (or keep track of them in notepad). Then uncheck all of the services and complete the wizard.
  5. Now click 'Assign Services to certificate...' and reassign the services for your certificate. Check your certificate to make sure this fixed the problem by entering the name users use to access mail into the DigiCert Certificate Tester.
    For ISA/TMG Servers

    In our experience to make the changes take effect you will need to reboot your server. If you find a way to make the changes show up correctly on your ISA/TMG server on our Certificate Installation Checking Tool please let us know.

Other Microsoft Server types (e.g. OCS, Lync)

You might be able to re-enable your certificate by disabling it and then re-enabling it but we have not tested this. Please let us know if this fixes the intermediate problem.

Troubleshooting Certificate Errors

  1. If the above tips don't solve the problem you will probably need to restart your server.

  2. If rebooting the server doesn't fix the problem, then the SSL Certificate is most likely installed on an/some additional server(s) or device(s) with an incomplete certificate chain so you will need to contact support for help resolving it.

    When you contact support please use the Check a Server feature from the DigiCert Utility. and let them know both what errors you're receiving and what the 'Query Server' button lists for the certificates being sent out (e.g. 1. test.digicert.com, , 2. DigiCert High Assurance CA-3), so they can help you quickly resolve this problem.