Instructions for Repairing Intermediate Certificate Chain Errors

What Does an Intermediate Certificate Error Look Like?

When using the DigiCert® SSL Installation Diagnostics Tool, to check your SSL Certificate installation, you may receive one of the following Intermediate Certificate Errors:

  • "The server is not sending all required intermediate certificates."

  • "Your server is sending too many intermediate certificates."

Luckily, you can repair both of these issues with the DigiCert® Certificate Utility for Windows.

Using the DigiCert Certificate Utility to Fix Certificate Chain Errors

  1. On the Windows server where your SSL Certificate is installed, download and save the DigiCert® Certificate Utility for Windows executable (DigiCertUtil.exe).

  2. Run the DigiCert® Certificate Utility for Windows (double-click DigiCertUtil).

    Caution: This utility should only be run on a Windows server. It could potentially cause SSL Certificate errors when browsing if this utility is run on a regular Windows computer.

  3. In the DigiCert Certificate Utility for Windows©, click SSL (gold lock), select the certificate that you need to repair, and then click Repair Certificate.

    Bad SSL Certificate Installation

  4. In the "Would you like to repair this certificate's chain window", click Yes to repair the certificate chain.

    Yes, this is a server

  5. After you receive the "This certificate has been successfully repaired" message, click OK.

    Certificate Repaired, Reboot Server

  6. Reboot the server or force the server to clear the current certificate chain from memory and reload it.

    Note:    If after repairing your SSL Certificate and rebooting your server, you are still receiving intermediate certificate errors, you may need to force the server to clear the current certificate chain from memory and reload it.

    See Reconfigure the Certificate for your IIS Website or Exchange Domain.

 

Reconfigure the Certificate for your IIS Website or Exchange Domain

If after completing the applicable instruction to reconfigure your software to use the certificate and/or rebooting your server, you're still running into problems, please see Troubleshooting Certificate Errors.

IIS 8 Exchange 2013 ISA/TMG Servers
IIS 7 Exchange 2010 Other Microsoft Server Types (i.e. OCS, Lync)
IIS 6 Exchange 2007
 

For IIS 8 Servers

  1. Open Internet Information Services (IIS) Manager.

    On the Start screen, type and click Internet Information Services (IIS) Manager.

  2. In Internet Information Services (IIS) Manager, under Connections, expand your server’s name, expand Sites, and then click the site or domain.

  3. In the Actions menu, under Edit Site, click Bindings.

  4. In the Site Bindings window, select the https binding for the site or domain, and then click Edit.

  5. In the Edit Site Binding window, take note of the following settings:

    • Type

    • IP address

    • Port

    • Host name (if using Server Name Indication)

    • Require Server Name Indication (if using Server Name Indication)

    • SSL certificate

  6. After recording the information, click Cancel.

  7. In the Site Bindings window, select the https binding for the site or domain and then, click Remove.

  8. Now click Add.

  9. In the Add Site Binding window, in the Type drop-down list, select https.

  10. Use the information that you collected before you removed the binding to repopulate the fields in the Add Site Binding window.

  11. To verify that the certificate is now listed correctly, enter your certificate's common name or SAN into the DigiCert® SSL Installation Diagnostics Tool.

 

For IIS 7 Servers

  1. Open Internet Information Services (IIS) Manager (Start > Administrative Tools > Internet Information Services Manager).

  2. In Internet Information Services (IIS) Manager, under Connections, expand your server’s name, expand Sites, and then select the site or domain.

  3. In the Actions menu, under Edit Site, click Bindings.

  4. In the Site Bindings window, select the https binding for the site or domain and then, click Edit.

  5. In the Edit Site Binding window, take note of the following settings:

    • Type

    • IP address

    • SSL Certificate

  6. After recording the information, click Cancel.

  7. In the Site Bindings window, select the https binding for the site or domain and then, click Remove.

  8. Now click Add.

  9. In the Add Site Binding window, in the Type drop-down list, select https.

  10. In the Add Site Binding window, use the information that you collected before you removed the binding to repopulate the fields.

  11. When you are finished, click OK and then Close.

  12. To verify that the certificate is now listed correctly, enter your certificate's common name or SAN into the DigiCert® SSL Installation Diagnostics Tool.

 

For IIS 6 Servers

  1. Open Internet Information Services (IIS) Manager.

    On the Start menu, click Administrative Tools > Internet Information Services (IIS) Manager.

  2. In Internet Information Services Manager, in the navigation tree on the left, expand your server’s name, expand Sites, and then right-click the site and select Properties.

  3. In the Properties window, on the Directory Security tab, click Server Certificate.

  4. Click Remove the Current Certificate then follow the wizard to remove the certificate.

    This removes the certificate from being assigned to your website, but the certificate still remains on your server.

  5. Now, in the Properties window, on the Directory Security tab, click Server Certificate and go through the wizard and choose Assign an Existing Certificate and reselect the certificate that you just removed.

  6. To verify that the certificate is now listed correctly, enter your certificate's common name or SAN into the DigiCert® SSL Installation Diagnostics Tool.

 

For Exchange 2013 Servers

  1. Open the Exchange Admin Center (navigate to https://localhost/ecp).

  2. In Exchange Admin Center, in the menu on the left, click Servers and then in the menu at the top of the Servers section, click Certificates.

  3. In the Certificates section, select the certificate and then, click the Edit symbol (pencil).

  4. On your "Certificate's" page, in the menu on the left, click Services.

  5. In the Specify the services that you want to assign this certificate section, take note of the services (i.e. SMTP, IMAP, POP, and IIS) that you enabled for your SSL Certificate. Then, uncheck all the services and click save.

  6. Now, click the Edit symbol (pencil), on your "Certificates" page, in the menu on the left, click Services.

  7. In the Specify the services that you want to assign this certificate section, re-enable the services for your SSL Certificate.

  8. To verify that the certificate is now listed correctly, enter the name that clients use to access mail into the DigiCert® SSL Installation Diagnostics Tool.

 

For Exchange 2010 Servers

  1. Open the Exchange Management Console (Microsoft Exchange 2010 > Exchange Management Console).

  2. In the Exchange Management Console, in the center section, click Manage Databases.

  3. In the navigation tree on the left, expand Microsoft Exchange On-Premises and then select Server Configuration.

  4. In the center section, under Exchange Certificates, select the certificate and then in the Actions menu on the right, click Assign Services to Certificate.

  5. Next, select your server from the list provided and then click Next.

  6. Take note of the services (i.e. SMTP, IMAP, POP, and IIS) that you enabled for your SSL Certificate. Then, uncheck all the services and complete the wizard.

  7. Now, click Assign Services to Certificate and reassign the services for your certificate.

  8. To check your certificate to make sure this fixed the problem, enter the name that clients use to access mail into the DigiCert® SSL Installation Diagnostics Tool.

 

For Exchange 2007 Servers

    Get Your Certificate's Thumbprint

  1. Run the DigiCert® Certificate Utility for Windows.

    Double-click DigiCertUtil.

  2. In DigiCert Certificate Utility for Windows©, click SSL (gold lock), right-click on your certificate, and then, click Copy thumbprint to clipboard.

    You can also get your thumbprint by running the following command in Exchange Management Shell:

    [PS] C:\> Get-ExchangeCertificate -DomainName your.domain.name

  3. Reassign Services

  4. Open Exchange Management Shell (Microsoft Exchange Server 2007 > Exchange Management Shell).

  5. Next, run the following command to re-enable your SSL Certificate for the services that you are currently securing:

       Enable-ExchangeCertificate -ThumbPrint insert_thumbprint -Services "SMTP, IMAP, POP, IIS"

    Note:   If you are prompted to overwrite the existing [Service] certificate, hit 'a' for all.

  6. To check the intermediate certificate chain, enter your domain name (i.e. mail.domain.com) into the DigiCert® SSL Installation Diagnostics Tool.
 

For ISA/TMG Servers

    In our experience, to activate the changes, you need to reboot your server. If you find another way to make the changes show up correctly on your ISA/TMG server after running our DigiCert® SSL Installation Diagnostics Tool, please let us know.

 

Other Microsoft Server types (i.e. OCS, Lync)

    You might be able to re-enable your certificate by disabling it and then re-enabling it, but we have not tested this. Please let us know if this fixes the intermediate problem.

 

Troubleshooting Certificate Errors

  1. If the tips from the Reconfigure the Certificate for your IIS Website or Exchange Domain section don't solve the problem, you probably need to restart your server.

  2. If rebooting the server doesn't fix the problem, then the SSL Certificate is most likely installed on an/some additional server(s) or device(s) with an incomplete certificate chain, so you need to contact support for help resolving it.

    When you contact support, please use the Check a Server feature from the DigiCert Certificate Utility to let them know what errors you're receiving and what the Query Server feature lists for the certificates being sent out (i.e. 1. test.digicert.com, 2. DigiCert High Assurance CA-3), so they can help you quickly resolve this problem.