Web Configurator Certificate Does Not Include the CA Certificate



  • I have previously created a certificate signing request from the certificate manager and signed it with our external company CA.

    Now it is due for renewal so I generated a new certificate signing request and signed it with our external company CA.

    When I switch the web configurator to use the new certificate my browser gives me an error about unknown issuer. When I check the certificate the web configurator is sending the browser it is only sending the server certificate and not including the ca certificate as part of the chain.

    If I switch back to the old certificate it does include the ca certificate.
    I have verified that the imported server certificate is part of the chain. It shows up as linked to the ca certificate which is present in the CAs tab.

    I also tried including the full chain like you would normally do for a web server (server cert first, then ca cert on the next line) and get the same result (ca cert is not sent to browser)

    I also tried creating an internal CA and generating a certificate with that but get the same result (CA certificate missing in handshake)

    I'm at a loss of why this is happening. If anyone has suggestions on how to debug it would be much appreciated



  • Okay I'm just being stupid. Apparently servers do not send the root certificate. The root certificate comes from the Certificate Store in Windows (which I have added the root certificate via group policy). However Firefox does not trust the Windows Certificate Store and maintains it's own. I needed to add the CA certificate manually into Firefox. Now it works.