Thawte Certificate renewal (Full Version)

All Forums >> [Threat Management Gateway (TMG) 2010] >> General


richard.emerge -> Thawte Certificate renewal (12.Aug.2010 11:36:56 PM)

We have a website on a windows 2003 server published using TMG2010 with a Thawte SSL Certificate on the listener and our own internal issued Cert on the website itself. This has been working fine. Our certificate has just expired and I have renewed it. Thawte are now issue-ing using intermediate CAs.

I have got our new Thawte webserver cert in the personal store, the thawte premium server CA cert in the trusted root CA store, the thawte primary root CA cert in the intermediate CA store, and the Thawte SSL CA cert in the intermediate CA Store. I have had the Thawte support look at it using there online support, but they only really nkow IIS, not ISA/TMG. But they say the certs are all installed correctly.

When I check on the TMG2010 machine the cert shows the whole chain working correctly. When I try IE from a client machine is comes up with the good old cert error saying its not issued by a trusted CA. In the certification path it shows only issued by Thawte SSL CA.

Does anyone know how to get the certification path working

tshinder -> RE: Thawte Certificate renewal (13.Aug.2010 9:45:11 AM)

Is it that the client doesn't trust the CA?


JoshODBrown -> RE: Thawte Certificate renewal (23.Aug.2010 6:56:42 PM)

I have been experiencing the exact same issue with a recent Thawte SSL certificate renewal over the weekend.

Have you been able to resolve the issue yet?


Josh B

FN -> RE: Thawte Certificate renewal (24.Aug.2010 10:14:25 AM)


Maybe I could be of some help since I had horrible day last week with wildcard certificate from Thawte. Thawte changed their Intermediate certificates somewhere around 27.06.2010., and many are having similar problems, their kb is badly organized and I was digging through it the whole day, some of them were updated after my search. Anyway, my situation was like this and I hope it will help you out with resolving your problem.

Certificate: Thawte Wildcard SSL
Request sent from IIS7 on Windows 2008 R2
Website published through TMG 2010 SP1

First check your website using this tool input your website like it will validate your certificate and show you if everything is ok and if chain is broken.

My problem was broken chain. To resolve it you'll find KB Articles pointing to each other about installing Intermediate certificate (3 of them). I managed to find ssl_pkcs7.p7b package on their support site but not anymore :( These are for wildcard certificate, I'm not sure if Thawte is using additional one for other types. I navigated from here for IIS

For some reason I can't upload file here. I'll put it on hotfile, just unrar it.

Import it on both IIS and TMG Intermediate store. I've rebooted both servers after import, after that I used SSLShopper tool once more to verify it and now finally it works.

Hope it helps you :)

JoshODBrown -> RE: Thawte Certificate renewal (25.Aug.2010 1:41:13 AM)

I found that FN's post was very helpful. Turns out we had the Intermediate CAs installed ok, but the missing piece of the puzzle was a reboot on the ISA Server.... I had an opportunity to schedule a brief outage this evening to do the reboot, and used the SSL Checker on the SSLShopper website. Also found that Thawte has their own similar utility at

So in a nutshell, for a standard SSL Web Server certificate under IIS, Thawte has this KB article that describes dealing with the intermediate CAs, plus a Trusted Root CA that needs to be disabled. These same steps can more or less be used for the ISA Server as well to verify the required certificates are installed.


Page: [1]