A customer has given us 3 certificates, which were installed on a windows server in the order and :
In mmc, when I inspect #2, I can see the chain as:
Verisign (root) -> Verisign (intermediate) --> Symantec (intermediate)
When inspecting #3 (the self signed certificate), there is no chain. There's only CompanyX.
Seems like windows is failing to establish the chain between the last intermediate and the self signed certificate, so when clients connect to the web server, they see a self-signed or untrusted certificate warning, presumably because the server is not publishing the intermediate certificates.
I've already verified that common names match exactly, and repeated the installation procedures a few times. Did I do something wrong installing the certificates? Am I missing something?
Just for the record and possible future searches, here's how I solved it:
Since both #3 and #2 have the same subject (and public key), and I had the private key for #3 but not #2, I wanted to try the #3 private key on the #2 certificate, so:
Extract the key from #3 with openssl pkcs12 -in Cert3.pfx -nocerts -nodes. Where Cert3.pfx is #3 certificate with key, and which creates a new Cert3.key file with only the private key.
Merge the #2 certificate with the extracted key with openssl pkcs12 -export -out 'NewCert2.pfx' -inkey Cert3.key -in Cert2.cer. Where Cert2.cer is #2 without key, and creates NewCert2.pfx with #2 cert and #3 key merged.
Deleted #3 from the Personal store and deleted #2 from the Intermediate store.
Imported the new merged #2 into Personal store.
Updated IIS bindings for the new certificate.
The result is using #2 as SSL certificate, already tested with SSL-Checker and everything is working fine.