Certificate trust error after updating SSL server certificate from new Intermediate or Root CA.
Article ID: CTX571044
Updated On:
Description
After updating a server SSL certificate, users are receiving certificate error "You have not chosen to trust 'DigiCert Global Root G2', the issuer of the server's security certificate.", "NET::ERR_CERT_AUTHORITY_INVALID" or other certificate trust error.
Resolution
If the Certificate Authority issuing entity provided a certificate bundle (Server Certificate + Intermediate CA + Root CA) then installing the PFX file on the NetScaler will install all 3 certificates, however they may not be automatically linked. Use the below steps to link the certificates:
For example:
Old certificate chain could be as below:
Old Server Certificate < DigiCert TLS RSA SHA256 2020 CA1 (Intermediate CA) < DigiCert Global Root CA
New certificate chain could be as below:
New Server Certificate < DigiCert Global G2 TLS RSA SHA256 2020 CA1 (Intermediate CA) < DigiCert Global Root G2
The Intermediate and Root CA have changed, so therefore they will need to be installed on the NetScaler (ADC) and linked.
- On the NetScaler admin GUI, navigate to Traffic Management > SSL > Certificates > All Certificates
- Select the new certificate and select the Link option from the "Select Action" dropdown menu.
- Repeat the above steps for the new Intermediate and Root certificates. This will complete the linking of the certificate chain.
Problem Cause
The new server certificate's issuer is not exactly the same as the previous certificate's issuer.For example:
Old certificate chain could be as below:
Old Server Certificate < DigiCert TLS RSA SHA256 2020 CA1 (Intermediate CA) < DigiCert Global Root CA
New certificate chain could be as below:
New Server Certificate < DigiCert Global G2 TLS RSA SHA256 2020 CA1 (Intermediate CA) < DigiCert Global Root G2
The Intermediate and Root CA have changed, so therefore they will need to be installed on the NetScaler (ADC) and linked.
Issue/Introduction
If the new server certificate's issuer is not exactly the same as the previous certificate's issuer, the new issuer's certificate will need to be installed on the NetScaler (ADC) and linked to the new server certificate.
1. On the NetScaler admin GUI, navigate to Traffic Management > SSL > Certificates > All Certificates and select the new certificate and select the Link option from the "Select Action" dropdown menu.
2. Repeat the above steps for the new Intermediate and Root certificates. This will complete the linking of the certificate chain.
Additional Information
For additional information on this from DigiCert, please visit: DigiCert root and intermediate CA certificate updates 2023
Was this article helpful?
Yes
No
Powered by
