Problem
I've created a certificate through AD certificate services, but it has the error "The issuer of this certificate could not be found."
despite the full chain being present in the PFX.
Context
I've created a code signing certificate from our org's AD Certificate Services server, using the standard code signing
template, and exporting the created cert (with exportable private key).
We're having issues using this certificate to sign code, despite our root cert being trusted on all corporate devices.
On investigation, if I convert the PFX to a PEM (with file extension .CER
) and open it in a text editor I can see client, intermediate, and root certs listed in the PEM file.
However, if I double click this CER file (i.e. to open it in crypto shell extensions
), the certificate path tab only shows the client cert & shows certificate status as "The issuer of this certificate could not be found."
.
Looking at the client's issuer it correctly names the intermediate certificate.
If I copy the intermediate and root certificates from the PEM file into their own, save that as a .CER and open it then the intermediate and root certificates are correctly listed. The issuer
of the client exactly matches the issued to
of the intermediate; and the issuer
of the client exactly matches the subject name
of the intermediate.
To convert PFX to PEM I'm using openssl.exe pkcs12 -in "mycert.pfx" -out "mycert.cer" -nokeys -passin "pass:mypassword"
The Crypto Shell extension only shows the 1st certificate in the file. The other intermediate CA certificates in the chain need to be accessible to the verifier (the computer where you're checking this) either from the repository or installed in the Intermediate Certification Authorities store on the computer where you're running the Crypto Shell extension.
Within the end-entity certificate issued by a Microsoft CA you should see the Authority Information Access extension, which should contain the URL where the issuer is available to download. When available, the Crypto Shell extensions can download the intermediate CA certificate from this URL and save your confusion.
Alternatively, for the purpose of testing, you could install the intermediate CA certificate in the Intermediate Certification Authorities store of the computer where you're running the Crypto Shell extension.
Note that you do not need to install the intermediate CA certificates in all the Intermediate Certification Authorities stores of all your computers (as you do for your root CA cert) as in real-world use the intermediate CA certificates should be presented by the end-entity to the relying parties as part of the protocol. For example, when a TLS certificate used by a web server (e.g. IIS) for HTTPS, the server should send its certificate along with all intermediate CA certificates (with the root being optional). Similarly, a package that is signed by a code signing certificate should include all certificates other than the root CA cert (the latter being optional again).
So, there's nothing wrong with your certificates - the Crypto Shell extension simply can't find the intermediate CA certificates.