Users with Windows servers may sometimes receive an "untrusted connection" error, when connecting to their websites, despite the fact that a PKCS#7 certificate with the full chain was imported on the server. The issue is more frequent on mobile devices, rather than on desktop machines, and occurs most commonly with Comodo certificates.
When checking the certificate installation in an online checker, you will see that the certificate is returned with one intermediate.
To understand what causes the issue and how to overcome it, we will provide a better understanding on how Windows servers work with SSL certificates. First, remember that Windows servers do not return root certificates during SSL handshake and they build up certificate chains using the shortest way they can find.
Let us investigate this issue using the example of a Comodo PositiveSSL certificate. PositiveSSL (and other Comodo certificates) has two variants of CA chain. One ends up with SHA-1 root certificate and the other is completed by a newer SHA-2 root, which is not included in trusted stores of most mobile devices and might be missing in old versions of desktop browsers.
Newer versions of Windows servers contain both AddTrust External CA Root (SHA-1 root) certificates and Comodo RSA Certification Authority (SHA-2 root). As you see from the screenshot above, the chain that ends up with SHA-2 root is shorter. Therefore, the server will prefer the chain file that ends up with Comodo RSA Certification Authority. Taking into account that the root certificate is not sent by the server gives us the end-entity certificate with one intermediate submitted to client and possible security warnings about the certificate being untrusted.
In order to overcome the issue, you’ll need to disable the usage of the root certificate that prevents building a proper certificate chain. Follow the steps below:
This should resolve the issue with the certificate chain returned by the Windows server and remove all the warnings in browser.