Sectigo SSL Certificates on Windows IIS – Incorrect Certificate Chain

Overview

Some customers using Sectigo SSL Certificates on Windows IIS may experience SSL/TLS errors on certain devices, even though the certificate appears valid in modern browsers.

ℹ️

Key point
This issue is caused by how Windows IIS automatically builds SSL certificate chains, not by a problem with the certificate itself.

Symptoms

You may be affected if:

• Your site works in modern browsers but fails on:
  • Older Android devices
  • Legacy Java applications
  • Embedded or IoT systems
• SSL test tools show an unexpected or incomplete certificate chain
• Problems appear after:
  • Renewing an SSL certificate
  • Applying Windows updates
  • Restarting the server

⚠️

Common sign
The certificate looks valid in Chrome or Edge, but fails on older or specialised systems.

Why This Happens

Windows builds the SSL certificate chain for IIS using certificates in the Windows certificate store.

When more than one valid chain exists, Windows always chooses the shortest chain, even if a longer chain would be trusted by more devices.

ℹ️

Important
Shorter chains are efficient for Windows clients, but are not always suitable for public-facing servers.

The Sectigo Certificate Chain Issue

Sectigo® provides two valid trust paths for the Public Server Authentication Root R46:

• Short chain (chosen by Windows)
  Uses the newer, self-signed Sectigo® root

• Long chain (recommended for compatibility)
  Uses a cross-signed root issued by USERTrust RSA Certification Authority

The USERTrust RSA root has been trusted globally since 2000 and is widely recognised by older systems.

⚠️

Default behaviour
Windows IIS will always select the short chain unless explicitly prevented from doing so.

Recommended Fix

To ensure maximum compatibility, Windows must be prevented from using the shorter chain so that IIS serves the longer, more widely trusted chain.

This is done by:

1. Removing the self-signed Sectigo® R46 certificate from trusted certificate stores
2. Adding the same certificate to the Untrusted Certificates store

✅

Good to know
This does not delete the certificate — it simply stops Windows from using it when building the SSL chain.

Step-by-Step (Windows GUI)

1. Open the Certificate Manager

• Press Win + R
• Enter: certmgr.msc

2. Find the Sectigo® R46 Certificate

Check both locations:

• Trusted Root Certification Authorities → Certificates
• Intermediate Certification Authorities → Certificates

Look for:

Sectigo® Public Server Authentication Root R46

3. Remove from Trusted Stores

If found in either location:

• Right-click the certificate
• Select Delete
• Confirm the removal

⚠️

Important
Make sure the certificate is removed from both trusted locations if it appears in both.

4. Add the Certificate to Untrusted

• Go to Untrusted Certificates → Certificates
• Right-click and choose All Tasks → Import
• Import the same Sectigo® R46 certificate
• Complete the wizard

✅

Result
Windows can no longer select the short chain and will automatically use the compatible chain instead.

5. Restart IIS

Restart IIS so the new certificate chain is applied.

After Applying the Fix

Once complete:

• IIS will automatically serve the USERTrust RSA certificate chain
• Compatibility with older devices and applications is restored
• No changes are required to the SSL certificate itself

✅

Expected outcome
Devices that previously failed to connect should now establish secure connections successfully.

Important Notes

⚠️

Server-wide impact
This change affects all SSL/TLS services on the server, not just IIS.

Most customers see improved compatibility across all services, but you should always test:

• Websites
• APIs
• Mail services
• Any custom TLS-dependent applications