SSL Certificate Trust Errors for New Thawte Certificates

If you renew a Thawte SSL certificate or purchase a new one since 26th July 2010 you may encounter SSL certificate trust errors when clients connect to published websites such as Outlook Web Access.

Web browsers will return an error such as:

The security certificate issued by this website was not issued by a trusted certificate authority

On inspection of the certificate being issued by the website you may see this error:

The issuer of this certificate could not be found

This can be confusing for people who assume that any certificate issued by a commercial CA such as Thawte will be trusted by devices and web browsers that people are connecting from, especially when it occurs after renewing an existing Thawte SSL certificate.

Thawte has published the reason for this:

On June 27 2010, in the interest of better security, thawte signed all certificates with a primary and secondary intermediate that need to be installed along with the SSL certificate. Any certificate issued on or after this date requires the primary and secondary intermediate to be installed.

The new certificates are issued by an intermediate CA known as “Thawte SSL CA”.  This CA is not automatically trusted by most web browsers.  Thawte provides instructions for installing the correct certificates on the web server or ISA Server that is publishing the website.

Take note of the final steps, the change may not take effect until IIS or ISA Server are restarted.

If your site still have the chaining error, restart the IIS service. If the problem continues, the whole server needs a reboot to use the new roots.