Fix an untrusted root or certificate error (Windows IIS only)
Required: These steps are for Windows IIS users only. For other platforms, see Fix an untrusted root or certificate chain error.
If you or your customers are seeing an "untrusted root" or SSL certificate chain error, your current SSL certificate may need additional certificates in the bundle so web browsers can trust your site. Follow these steps to fix this issue for Windows IIS.
For CSR and private key generated within IIS
- Download the new bundle and copy it to one of the IIS servers.
- Open MMC and add the certificate view snap in.
- Right-click Intermediate Certificates, select Import, and then browse to the .p7b file that came in the new bundle. Select the file and import it, and when the import is done you'll see a success message.
- Open IIS manager and go to Server Certificates.
- Select Complete Certificate Request and browse to the .cer that came in the bundle.
- Import the bundle to your local machine, and when the import is done you'll see a success message.
- In MMC, right-click the new certificate that was imported and select Export.
- Choose to export the private key as well, provide a new name/path for the .pfx, and then install the newly created .pfx on your webservers and bind to any site that needs it.
For CSR and private key generated externally (for example, in OpenSSL)
- Run this command to create a PFX file:
openssl pkcs12 -export -out [newFileName.pfx] -inkey [privateKey] -in [newBundleFileName]
where:
- newFileName is the output file name for the PFX (for example, coolexample_new.com.pfx)
- privateKey is the private key file (for example, coolexample.com.key)
- newBundleFileName is the certificate bundle to include (for example, coolexample.com_bundleNoG2.crt)
- Upload the PFX to your server and double-click to begin the install.
- Select Local Machine and select Next.
- Select Verify Filename and select Next.
- Select Input Password (we always recommend doing so for increased security), select Select Mark Key Exportable and then select Next.
- Select Automatically Select Certificate Store, select Next and then select Finish. When the import is complete, you'll see a success messsage.
View the certificate
No matter how you installed the bundle, here's how to view the installed certificate:
- Open a command prompt, type
MMCand press Enter. - In MMC, select File and then select Add/Remove Snap-in.
- In the left menu, select Certificates and select Add.
- Select Computer Account and then select Next.
- Select Local Computer and then select Finish.
- Select OK.
- Navigate back to Certificates (Local Computer), select Personal and then select Certificates. The new certificate appears in the list.
More info
- Why is GoDaddy removing ClientAuth EKU and transitioning to the R1 root hierarchy for DV TLS issuance?: Explains why you saw the "untrusted root" or certificate chain error in the first place.