Configuring a Windows Server to Send a Cross-Signed Certificate

Background

All DigiCert® SSL Certificates issued with expiration dates after January 2011 are issued from a 2048-bit certificate path. The root certificate in this path is titled DigiCert High-Assurance EV Root CA and is already trusted by all modern browsers.

Windows automatically determines which intermediate certificates to send to clients based on which root certificates it finds in its root certificate authorities certificate store. When a DigiCert High-Assurance EV Root CA root certificate is present in the root certificate authorities certificate store, Windows does not include the Cross-Signed certificate.

To confirm that you have this problem, use our online SSL Certificate Tester which works on all publicly-accessible sites. This tester will tell you whether your server is sending the correct intermediate certificates to clients.

The quickest way to resolve this issue is by using our DigiCert SSL Utility for Windows. However, you can also complete the steps below.

Disabling the Root Certificate on your Server

Disabling the DigiCert High-Assurance EV Root CA root certificate in your server's root certification authorities certificates store allows Windows to build a correct path of intermediate certificates to give to clients.

Correcting this problem involves two tasks:

  1. Check for the DigiCert High-Assurance EV Root CA in the server's root certification authorities certificates store and disable it if necessary.
  2. Check the server's intermediate certificate store for the necessary intermediate certificate files and install them if necessary.

Note: In some situations disabling the DigiCert High-Assurance EV Root CA as described below may not prevent your server from using the problem certificate. In those cases, it is necessary to delete the DigiCert High-Assurance EV Root CA. If you are considering doing this, please note that in rare instances deleting the root certificate can have a negative impact on server stability.

Disabling the DigiCert High-Assurance EV Root CA

If the DigiCert High-Assurance EV Root CA is present in the trusted root certificate store, it should be disabled.

Usually this is the only step that you need to complete. However, it's still a good idea to check and make sure that the correct intermediate certificate files are installed.

To check for the trusted root file:

  1. On the Start menu click Run and then type mmc.

  2. Click File > Add/Remove Snap-in.

  3. Click Certificates > Add and then close the Add Standalone Snap-in window. Click OK.

  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the Add Standalone Snap-in window and the Add/Remove Snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Find the Trusted Root Certification Authorities folder and expand Certificates.
  7. Look for the file issued to and by DigiCert High-Assurance EV Root CA with a 11/9/2031 expiration date.

  8. Double-click that file and navigate to the Details tab.

  9. Click Edit Properties and then choose Disable all purposes for this certificate in the Certificate Purposes field.

  10. Click OK. You may need to restart your server for this change to take effect.

Checking the Intermediate Certificate Store

This step should have been taken completed when you installed your DigiCert certificate(s). However, it's still a good idea to check and make sure that the correct intermediate certificate files are installed.

  1. In the MMC Certificate Snap-in, open the Intermediate Certification Authorities folder.
  2. In the Certificates folder, find the DigiCert High-Assurance EV Root CA file.

    For standard SSL Certificates (SSL Plus, Wildcard, Multi-Domain SSL) also find the DigiCert High-Assurance CA-3 file. For EV SSL Certificates find the DigiCert High-Assurance EV CA-1 file.

  3. If you find the files, you do not need to complete the rest of the steps. If you can't find the files, download them from our site via the links below.

    SSL Plus/Wildcard/Multi-Domain SSL Certificates: DigiCert High-Assurance EV Root CA  :  DigiCert High-Assurance CA-3
    EV certificates: DigiCert High-Assurance EV Root CA  :  DigiCert High-Assurance EV CA-1

  4. Once they are downloaded, double-click the file and click Open > Install Certificate.

  5. In the Certificate Import Wizard, choose Next.

  6. Choose Place all certificates in the following store and then click Browse.

  7. Select Show physical stores and then install the certificates to the Local Computer folder under Intermediate Certification Authorities.

  8. Finish the Certificate Import Wizard. You should get a message that the import was successful.

    Your certificate is now installed. You can use our online SSL Certificate Tester to check your certificate installation.