Web Configurator Certificate Does Not Include the CA Certificate
-
I have previously created a certificate signing request from the certificate manager and signed it with our external company CA.
Now it is due for renewal so I generated a new certificate signing request and signed it with our external company CA.
When I switch the web configurator to use the new certificate my browser gives me an error about unknown issuer. When I check the certificate the web configurator is sending the browser it is only sending the server certificate and not including the ca certificate as part of the chain.
If I switch back to the old certificate it does include the ca certificate.
I have verified that the imported server certificate is part of the chain. It shows up as linked to the ca certificate which is present in the CAs tab.I also tried including the full chain like you would normally do for a web server (server cert first, then ca cert on the next line) and get the same result (ca cert is not sent to browser)
I also tried creating an internal CA and generating a certificate with that but get the same result (CA certificate missing in handshake)
I'm at a loss of why this is happening. If anyone has suggestions on how to debug it would be much appreciated
-
Okay I'm just being stupid. Apparently servers do not send the root certificate. The root certificate comes from the Certificate Store in Windows (which I have added the root certificate via group policy). However Firefox does not trust the Windows Certificate Store and maintains it's own. I needed to add the CA certificate manually into Firefox. Now it works.