The certificate chain consists of issuing certificates and the actual server certificate.
The trust of the certificate chain is based on the ROOT certificate. At its simplest, the server's certificate can be issued directly with the ROOT certificate. However, this is not the case, the server certificate has been issued from an intermediate certificate. The intermediate certificate can also be the terminating certificate of the chain. When moving from SHA1 certificates to SHA2 certificates, several certificate providers created a new Intermediate certificate for the transition period. At that time, Entrust's SHA2 certificate chain was four-step: ServerCertificate > Intermediate1 > Intermediate2 (G2) > Entrust ROOT. Among these "intermediate certificates", Entrust Intermediate G2 already works as a terminating ROOT certificate on several devices. Today, the certificate chain from Entrust's portal is three-step by default: ServerCertificate > Intermediate > Entrust Root Certification Authority - G2 .
How-to videos & tips
Installing the certificate using the MMC console
One of the ways to install a certificate on a Windows server is to use the MMC console. The video shows how the server certificate is exported to the container intended for it on a Windows server.
F5 Big IP
Tips when installing the certificate
Certificate file formatEntrust has configured its service so that when downloading the certificate, a certain type of server can be selected if necessary, and thus influences the format in which the certificate is downloaded. For example, if you want the certificate files to be downloaded in a format suitable for Apache, when you select the server type in question, the certificates are downloaded in a zip file, where the Root and Intermediate certificates are bundled and the server certificate as its own file as follows:
Problems with the installation?Problems related to the operation of the certificate that arise during or after the installation are often due to either the absence of a Private Key or an incomplete certificate chain. If you run into problems, check at least the following:
- If you are installing several different certificates at the same time, make sure that the certificate file you are processing is correct. The certificate must be installed on the server that has the corresponding Private Key.
Check the chaining of the certificate, you can see this for example under Certificate > Certification Chain. Below is an example of a properly chained certificate on Wesentra Oy's website:
Are you getting the following error?: "NET:ERR_CERTIFICATE_TRANSPARENCY_REQUIRED"The error message indicates that when the certificate was created, its information was not configured to be exported to the CT (Certificate Transparency) register, and thus some browsers interpret that the certificate was not trusted. This error can be corrected by recreating the certificate, in connection with which CT logging should be set to active. In Entrust's portal, the function in question can be found in the menu under the name "Reissue".
Links for installation instructions
Server-specific instructions for selected environments
Below you will find links to server-specific certificate installation instructions on Entrust's website.
The instructions behind the links are in English.