Warning: The CA certificate does not sign the certificate.

[chucksmith]

I get the error "Warning: The CA certificate does not sign the certificate." when I try to install our VeriSign SSL CA Certificate as instructed at http://www.verisign.com/support/verisign-intermediate-ca/secure-site-pro-intermediate/index.html into Plesk. I have also tried overriding Plesk in Apache as instructed at http://forum.sw-soft.com/showthread.php?threadid=15468 but that also did not work. I have also tried shutting down and restarting the Apache service, but that has no effect.

Does anyone know of a possible workaround for this problem? We are running FreeBSD 5.3 with Plesk 7.5.2. We need an answer as soon as possible as we are trying to go live tomorrow and thus need a working SSL certificate.

You can see the certificate on a page by going to https://www.fun-electronics.com/admins/phpinfo.php

Thank you,
Chuck

 

[jamesyeeoc]

Before trying to circumvent the Plesk certificate handling as in the other thread you posted, did you try the Plesk instructions (in the admin manual)?? You can find them here:

http://download1.sw-soft.com/Plesk/Plesk7.5/Doc/plesk-7.5r-admins-guide-html/ch03s12.html

Skip to the section titled:

Uploading Certificates or Certificate Parts to SSL Certificates Repository

and continue on from that point in the document.

 

[chucksmith]

I have read that webpage many times. No matter how many times I upload the CA certificate from Verisign at http://www.verisign.com/support/verisign-intermediate-ca/secure-site-pro-intermediate/index.html into Plesk, it always gives me the same error "Warning: The CA certificate does not sign the certificate." It does not matter whether I enter it as text or as a file, I get the same result.

I've double-checked and triple-checked the certificates to make sure they are the same as what I entered. Do you have any other ideas of how I could fix this or of a workaround?

 

[chucksmith]

I really cannot believe it. We did nothing to it this morning, but yet our consultant looked at the sites and it is now working. If only all problems could just be fixed by waiting.

If you have this problem, it might be resolved just by waiting it out.

 

[frodelau]

Same problem

I have the same problem with a securessl certificate (comodo). It worked fine on the first of two certificates.

I have three files
GTECyberTrustGlobalRoot.crt
ComodoSecurityServicesCA.crt
and domain_com.crt

The last is afcourse the main certificate, but what is the CA? Tried
ComodoSecurityServicesCA.crt, but that gives me this message. Also had problems with apache because of this.

 

[tmonsen]

The ComodoSecurityServicesCA.crt should be the correct ca cert. What error are you getting when you put that in as the CA certificate?

 

[frodelau]

Fixed it!

Well, the problem was that I only copied the CA certificate. The right thing was to first copy the CA certificate, and then the root certificate in the same text area (CA). So it is solved

 

[illicious]

Hate to bring up old threads but just thought ide share.

I was in desparate search for the anawer to the "Warning: The CA certificate does not sign the certificate." message problem.

Restarting/rebooting serveral times and i tried ignoring it and waiting it out for a few days so i read somewhere that i might need a root certificate of some sort from my SSL cert provider.

They only sent me the intermediate CA cert and not the root i assume.
Luckily they had a root and intermediate .cer bundle (https://certificates.godaddy.com/Repository.go) which worked fine with my issued www.mydomain.com.crt.

Also, i forgot to log back into mydomain.com's setup in plesk and change the defualt plesk certificate to the exclusive cert i added.

I guess Plesk requires the intermediate and root CA certificates in a bundle for it to work properly and after youve added your cert for your domain dont forget to select the assigned certificate for your domain in the setup section in the lil drop down list.

 

[truthmonkey42]

Verisign doesn't supply a bundle - I pasted the three 'intermediate' certificates into the CA Certificate text box, and it worked... here's what I used (for a Verisign cert)

--T42

-----BEGIN CERTIFICATE-----
MIIEpjCCA46gAwIBAgIQEOd26KZabjd+BQMG1Dwl6jANBgkqhkiG9w0BAQUFADCB
lzELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2Ug
Q2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMSEwHwYDVQQLExho
dHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xHzAdBgNVBAMTFlVUTi1VU0VSRmlyc3Qt
SGFyZHdhcmUwHhcNMDYwNDEwMDAwMDAwWhcNMjAwNTMwMTA0ODM4WjBiMQswCQYD
VQQGEwJVUzEhMB8GA1UEChMYTmV0d29yayBTb2x1dGlvbnMgTC5MLkMuMTAwLgYD
VQQDEydOZXR3b3JrIFNvbHV0aW9ucyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwggEi
MA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDD3TbMg8MYVbCW2RMl0yaGSDi7
Fn/xnyn2/QPx7U0mmlbwtRoazebMhVVApLXQDcoi7z0jxn5szLyh6XxQRuC9FK1l
EsILEWlSCgeSH3NvwbrXYvDOAC40pcjmLw/sDepEYXVo5eTcgDZP2nhdUyWUlPVP
Ljpgbwym2bP2Ki4DEtUmQgdRsmRXcdwhHInHaaPm+8J7bu8Mh/tQZOhOS+/ncZuD
Y2HJMo2M7BSn5ImtPysmZOSFQvKJUOE6vhXjRSXiWsuMP+AzHjUJWoTqfl2h9ZGA
CigGt8sxQSVhiwHpVqL2Pl8v88RD9hmUdYNMoYJCOsa6xAkwpuF1AlG5XmSLAgMB
AAGjggEgMIIBHDAfBgNVHSMEGDAWgBShcl8mGyiYQ5VdBzfVhZadS9LDRTAdBgNV
HQ4EFgQUPEHijwgIqUwliY1txTjQ/IWMYhcwDgYDVR0PAQH/BAQDAgEGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwGQYDVR0gBBIwEDAOBgwrBgEEAYYOAQIBAwEwRAYDVR0f
BD0wOzA5oDegNYYzaHR0cDovL2NybC51c2VydHJ1c3QuY29tL1VUTi1VU0VSRmly
c3QtSGFyZHdhcmUuY3JsMFUGCCsGAQUFBwEBBEkwRzBFBggrBgEFBQcwAoY5aHR0
cDovL3d3dy51c2VydHJ1c3QuY29tL2NhY2VydHMvVVROQWRkVHJ1c3RTZXJ2ZXJf
Q0EuY3J0MA0GCSqGSIb3DQEBBQUAA4IBAQBoq/zvgGsYsrCzo0WJy1PFouavCKn9
/w9JrP/kn9dBfKPFouiq4FchLcOqfAxMKAt59O5MMq15Dn6iXjQYT99U8b1ofOPT
10ZebWTC922IgnMM75mF6qnvMkrwg59zkQykPisxUaZijxWE+aY6EjA/2m74zMcZ
kg9c9P4X8ZUIR1IsUI/om6XurnAziZGC/jCqdnZZ12wY0ysSWx0oHXhx9s02oukH
SEQ751duggqtxYrd6FO0ca8T0gadN21TP4o1CPr+ohbmuW9cVjnWxqrvGWfOE8W4
lQX7CkTJn6lAJUsyEa8H/gjVQnHp4VOLFR/dKgeVcCRvZF7Tt5AuiyHY
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEPDCCAySgAwIBAgIQSEus8arH1xND0aJ0NUmXJTANBgkqhkiG9w0BAQUFADBv
MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
eHRlcm5hbCBDQSBSb290MB4XDTA1MDYwNzA4MDkxMFoXDTIwMDUzMDEwNDgzOFow
gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl
IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY
aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0
LUhhcmR3YXJlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAsffDOD+0
qH/POYJRZ9Btn9L/WPPnnyvsDYlUmbk4mRb34CF5SMK7YXQSlh08anLVPBBnOjnt
KxPNZuuVCTOkbJex6MbswXV5nEZejavQav25KlUXEFSzGfCa9vGxXbanbfvgcRdr
ooj7AN/+GjF3DJoBerEy4ysBBzhuw6VeI7xFm3tQwckwj9vlK3rTW/szQB6g1ZgX
vIuHw4nTXaCOsqqq9o5piAbF+okh8widaS4JM5spDUYPjMxJNLBpUb35Bs1orWZM
vD6sYb0KiA7I3z3ufARMnQpea5HW7sftKI2rTYeJc9BupNAeFosU4XZEA39jrOTN
SZzFkvSrMqFIWwIDAQABo4GqMIGnMB8GA1UdIwQYMBaAFK29mHo0tCb3+sQmVO8D
veAky1QaMB0GA1UdDgQWBBShcl8mGyiYQ5VdBzfVhZadS9LDRTAOBgNVHQ8BAf8E
BAMCAQYwDwYDVR0TAQH/BAUwAwEB/zBEBgNVHR8EPTA7MDmgN6A1hjNodHRwOi8v
Y3JsLnVzZXJ0cnVzdC5jb20vQWRkVHJ1c3RFeHRlcm5hbENBUm9vdC5jcmwwDQYJ
KoZIhvcNAQEFBQADggEBADzse+Cuow6WbTDXhcbSaFtFWoKmNA+wyZIjXhFtCBGy
dAkjOjUlc1heyrl8KPpH7PmgA1hQtlPvjNs55Gfp2MooRtSn4PU4dfjny1y/HRE8
akCbLURW0/f/BSgyDBXIZEWT6CEkjy3aeoR7T8/NsiV8dxDTlNEEkaglHAkiD31E
NREU768A/l7qX46w2ZJZuvwTlqAYAVbO2vYoC7Gv3VxPXLLzj1pxz+0YrWOIHY6V
9+qV5x+tkLiECEeFfyIvGh1IMNZMCNg3GWcyK+tc0LL8blefBDVekAB+EcfeEyrN
pG1FJseIVqDwavfY5/wnfmcI0L36tsNhAgFlubgvz1o=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
-----END CERTIFICATE-----

 

[freemenow101]

Recreate the SSL certificate

Here's how we solved this problem: We recreated the certificate by going to the "server", the click on "certificates" and then create the certificate. From here you can click on IP addresses link update it to use the new certificate that was created. Initially I created the certificate under the domain settings. I found out that this sometimes create a problem. Hope this helps.

 

[Will Bradley]

Verisign doesn't supply a bundle - I pasted the three 'intermediate' certificates into the CA Certificate text box, and it worked... here's what I used (for a Verisign cert)

Wow you're a genius and I'm pissed that Plesk doesn't make this approach more obvious.

I copied and pasted the contents of the three CA certificates into a text file like you demonstrated and it worked perfectly.

Be right back, it's coffee break time.

 

[thewolf]

Please click one of the Quick Reply icons in the posts above to activate Quick Reply.

 

[thewolf]

VeriSign has an article about this Plesk warning:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO6799

Unfortunately I cannot find the root certificate for Plesk for Linux on their site, any ideas?

Thanks.

 

[ShirleyT]

Root Cert

I was running into the same problem.

I don't know if you're still looking for the solution but I thought I would leave some notes here.

I got the root certificate here:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=SO4785

Chatting with VeriSign's realtime support they advised that I needed the plain text for the certificate instead of a .cer file. I first downloaded the file with Firefox but couldn't open the file, so support suggested downloading the file with IE. After downloading the file via IE, I was able to double click on the file and opened it. It opened in a small window like the "About" window in IE. I then clicked on the "Details" tab, clicked the "Copy to File" button, selected "Base-64 encoded X.509 (.CER)" option, and saved the file as a .txt file. At this point I was able to copy and paste the root certificate right below the CA certificate and installed it onto the web server.

 

[RustBucket77]

truthmonkey42's answer worked for me (network solutions cert)