Fixing the Issue of Missing Certificate Chain in Internal IIS Server

Yesterday, I deployed the IIS service on my private server and encountered an issue while adding HTTPS. The issue was related to missing one or more intermediate certificates in the certificate chain. Normally, this can be resolved by updating the certificate chain through Windows update on a computer that has internet access. However, my server is not connected to the internet for certain reasons. So, I decided to try resolving this issue myself.(English version Translated by GPT-3.5, 返回中文)

Reproduction

After installing the certificate on IIS and assigning it a “Good Name”, I received the following prompt:
Issue Reproduction

Checking the Certificate Status

  1. First, we need to go to the IIS Manager, select a server on the left side, and find “Server Certificates” on the right side:
    Find Server Certificates

  2. Then, locate the imported certificate and double-click or right-click to view it:
    Find Certificate to View

  3. You can see that the certificate is missing the issuer, which means it lacks the root certificate.

    A complete certificate chain consists of a root certificate (usually with a long validity period), followed by intermediate certificates issued by the root certificate (which have shorter validity periods but are still quite long), and finally the certificate for HTTPS that is issued by the intermediate certificate. A complete certificate should include all of these.

    Certificate Missing Issuer

    Take Baidu’s certificate as an example. You can see that it is signed by the root certificate “GlobalSign Root CA - R1” and issued to “GlobalSign Organization Validation CA - SHA256 - G2”. Finally, the certificate for “baidu.com” is issued by the intermediate certificate. On a computer, the certificate will only be considered valid and trusted if it can find the first two certificates in its certificate store and these certificates are present.
    Baidu's Certificate

  4. Now, the problem is to re-import the root and intermediate certificates in my certificate chain and make the system trust them.

Checking the Certificate Chain

A complete certificate chain includes the root certificate, intermediate certificates, and the website’s certificate. You can deploy the certificate to an nginx server accessible on the public internet and then access the website to see the complete certificate chain in the browser, like this:

Complete Certificate Chain

You can also use a website called MySSL.com - SSL Security Assessment Report to view your own certificate chain (and also evaluate your website’s SSL rating, which is a very useful website):

Viewing Certificate Chain with MySSL

Downloading Certificates

Open the MMC Console Root Node

Open the following:

1
开始 - 运行 - 输入 mmc打开控制台根节点

Then select:

1
左上角文件 -  添加管理单元

In the popup window, select:

1
证书,并选择中间的→箭头

In the next popup window, select:

1
计算机根证书 - 本地计算机

You will see the following screen:

MMC Console Root Node

Verify that the Certificate is Missing

Check if the “Trusted Root Certification Authorities - Certificates” is missing the root certificate from the certificate chain, and if the “Intermediate Certification Authorities - Certificates” is indeed missing the intermediate certificate mentioned above. As shown in the following screenshot, you can see that the intermediate certificate authority is indeed missing the certificate for “Encryption Everywhere DV TLS CA - G1”:

Missing Certificate in Intermediate Certificate Authority

Download Certificates from the Official Website

Usually, you can download trusted root certificates and intermediate certificates from the official website. From the certificate chain above, I need to download the following root certificate and intermediate certificate:

1
2
根证书:DigiCert Global Root CA
中间证书:Encryption Everywhere DV TLS CA - G1

Most official websites provide download links for the corresponding root certificates. After some searching, I found that the root certificate mentioned above can be downloaded from DigiCert Trusted Root Authority Certificates.

By matching the certificate names and finding the two root certificates, download them to your local machine. Let’s assume the root certificate name is “root.pem” and the intermediate certificate is “middle.pem”.

DigiCert Global Root CA
Encryption Everywhere DV TLS CA - G1

Or… you can directly download the complete certificate chain from MySSL.

Downloading Certificate Chain from MySSL.com
The downloaded certificate chain has the following format:

1
2
3
4
5
6
7
8
9
10
11
-----BEGIN CERTIFICATE-----
MIIGCDCCBPCgAwIBAgIQAe48iOSHl0K9KHZthVDL9zANBgkqhkiG9w0BAQsFADBu
......
BmoAiYiLOxDzfpW5Gm1+ij6A0pUmCdfGouUoZ2FkVMFJW5fvIXhlwAx14CbKx+y5
raMYUEBz+9xDxbgh
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
....
rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
-----END CERTIFICATE-----

The first part “—–BEGIN CERTIFICATE—–” is the intermediate certificate, and the second part is the root certificate. Save them separately in “middle.pem” and “root.pem”.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
下面的内容单独保存到 middle.pem
-----BEGIN CERTIFICATE-----
MIIGCDCCBPCgAwIBAgIQAe48iOSHl0K9KHZthVDL9zANBgkqhkiG9w0BAQsFADBu
......
BmoAiYiLOxDzfpW5Gm1+ij6A0pUmCdfGouUoZ2FkVMFJW5fvIXhlwAx14CbKx+y5
raMYUEBz+9xDxbgh
-----END CERTIFICATE-----


下面的内容单独保存到 root.pem
-----BEGIN CERTIFICATE-----
MIIEqjCCA5KgAwIBAgIQAnmsRYvBskWr+YBTzSybsTANBgkqhkiG9w0BAQsFADBh
....
rMKWaBFLmfK/AHNF4ZihwPGOc7w6UHczBZXH5RFzJNnww+WnKuTPI0HfnVH8lg==
-----END CERTIFICATE-----

Importing Certificates

Now that we have the certificates ready, let’s import them.

In the MMC Console Root Node, go to:

1
受信任的根证书颁发机构 - 证书

Right-click and select:

1
所有任务 - 导入

Importing Root Certificate

Select “DigiCertGlobalRootCA” (which is the root.pem file) and click Next. Store the certificate in the Trusted Root Certification Authorities (click Next, leaving the default options).

Root Certificate Import Complete

Then, using the same method, go to the left side and navigate to:

1
中间证书颁发机构中,进行右键 - 所有任务 - 导入

Follow the import method above to import “middle.pem”. That’s it!

Intermediate Certificate Import Complete

Go back to IIS and Check the Certificate Chain

Finally, go back to the “Server Certificates” in IIS, and check the certificate path. You will see that the certificate is now valid and complete. And that’s it!

Certificate Chain