Verifying certificate chaining with Internet Explorer

Owned by LEE KNUTSON
Last updated: Feb 14, 2013Version comment
3 min read

It is possible to successfully install an InCommon SSL certificate on a host, but still have client browsers report SSL errors when connecting to the site. This is usually caused by a certificate either being installed partially or incorrectly. To validate that an InCommon SSL certificate has been installed successfully, and will not report errors for users with Internet Explorer, follow the steps outlined below.

An important part of the InCommon SSL certificate foundation to understand is that the InCommon intermediate certificate is what provides trust of a server's host certificate. This InCommon Intermediate certificate, in turn, is trusted by the AddTrust External Root Certificate Authority (CA). While the AddTrust External Root CA is installed by default with most browsers, the InCommon Intermediate certificate often is not. Because of this, it is important that a server using an InCommon SSL certificate must include at least the client and intermediate certificates, which will be exchanged with a requesting client's browser upon connection; it can include the root certificate as well.

Remove existing Intermediate InCommon certificate from browser (if it exists)

To ensure that the intermediate certificate is properly installed, we must ensure it is not already installed in Internet Explorer on the client from which we are going to test an SSL connection.

  1. In Internet Explorer, select "Internet Options" from the "Tools" menu.
  2. Select the "Content" tab, and click on the "Certificates" button.
  3. Select the "Intermediate Certification Authorities" tab (as shown in Figure 1), and select the "InCommon Server CA" (if it exists).
  4. Click "Remove" to delete the InCommon Intermediate certificate from IE, and click "Yes" in the dialog box to confirm the intention to delete it.
  5. Close and restart Internet Explorer to ensure the Intermediate certificate is not cached.

Figure 1. Certificates

Test Certificate Installation

Now that the browser does not have the InCommon Intermediate certificate installed, we can test that the certificate is properly installed.

  1. In Internet Explorer, select "Internet Options" from the "Tools" menu.
  2. Select the "Content" tab, and click on the "Certificates" button.
  3. Select the "Intermediate Certification Authorities" tab (as shown in Figure 1), and ensure the "InCommon Server CA" intermediate certificate is not present.
  4. Browse to your website and ensure that no error messages are received, and that the gold SSL padlock icon appears indicating a secure connection.
  5. (Optional) Follow steps 1 through 3 above to ensure the "InCommon Server CA" intermediate certificate is once again present.
Possible Errors

If you receive an error or warning when attempting to access the InCommon certificate protected website, check the following possibilities:

Certificates in Wrong Order

It's possible that the certificates were installed in the incorrect order. Often, but not always, these are in the certificate file (on the server) in Root, Intermediate, Client order. If these are in reverse, or just incorrect, order, Internet Explorer will often display only the Root certificate in the full Certification Path. To view the full Certification Path:

  1. In the window or popup that appears indicating that the certificate is not valid or untrusted, click the "View certificates" message
  2. In the Certificate dialog box, click on the "Certification Path" tab.
  3. Verify that the Certification Path show three (3) certificates: the USERTrust Root certificate, the "InCommon Server CA" intermediate certificate, and your client certificate (as shown in Figure 2).

If only the client certificate name is listed, the certificates are likely in an incorrect order in your certificate file (on the server).

Figure 2. Certificate with all three certificates properly chained together