If you received and installed a certificate in the PEM format on your Windows server, you may need to additionally install intermediate certificates to your machine. If the intermediate certificates are missing on the server, some browsers may show warnings about the certificate being untrusted.
Intermediate certificates can be imported to the Windows machine via Microsoft Management Console (MMC). Please take the following steps to import the intermediate certificates on your machine.
- Add certificate snap-in.
Launch MMC. Click on the Start menu > Run. Type in mmc and press OK.
Click on File and choose the Add/Remove Snap-in option.
Select Certificates from the Available snap-ins list and click the Add button.
Choose Computer account to manage the certificate and click Next.
Select Local Computer and press the Finish button.
Certificates snap-in was selected. Click OK to add it to the console.
- Import intermediate/root certificates.
To import an intermediate certificate, right-click on Intermediate Certification Authority > All Tasks > Import
To import a root certificate, right-click on Trusted Root Certification Authority > All Tasks > Import
Clicking on the Import button will run the Certificate import wizard.
Browse the intermediate certificate file you want to import to your computer and click Next.
Select the certificate store you want to import the certificate into - Intermediate Certification Authorities for intermediate certificates and Trusted Root Certification Authorities for root certificates.
If you have several intermediate/root certificates in a single file, you can choose the option ‘Automatically select the certificate store based on the type of certificate’. Wizard will detect the type of the certificates and import them into the corresponding stores.
Click the Finish button to complete the wizard. The certificate has been successfully imported.
Note: Generally, the root certificates for SSL we provide should be already pre-installed on the Windows machine. So, a manual root certificate import may only be needed if the root certificate was removed intentionally.
Also, when establishing the handshake, the root certificates are not returned by Windows servers to the clients, so some SSL checking tools may show that the root certificate is missing.