If you renew a Thawte SSL certificate or purchase a new one since 26th July 2010 you may encounter SSL certificate trust errors when clients connect to published websites such as Outlook Web Access.
Web browsers will return an error such as:
The security certificate issued by this website was not issued by a trusted certificate authority
On inspection of the certificate being issued by the website you may see this error:
The issuer of this certificate could not be found
This can be confusing for people who assume that any certificate issued by a commercial CA such as Thawte will be trusted by devices and web browsers that people are connecting from, especially when it occurs after renewing an existing Thawte SSL certificate.
Thawte has published the reason for this:
On June 27 2010, in the interest of better security, thawte signed all certificates with a primary and secondary intermediate that need to be installed along with the SSL certificate. Any certificate issued on or after this date requires the primary and secondary intermediate to be installed.
The new certificates are issued by an intermediate CA known as “Thawte SSL CA”. This CA is not automatically trusted by most web browsers. Thawte provides instructions for installing the correct certificates on the web server or ISA Server that is publishing the website.
Take note of the final steps, the change may not take effect until IIS or ISA Server are restarted.
If your site still have the chaining error, restart the IIS service. If the problem continues, the whole server needs a reboot to use the new roots.
This is also a big issue if you have a Thawte SSL CA cert in use for mobile devices via ActiveSync; at least most of the Android platforms/devices we’ve used (including 4.1.x and maybe 4.2) don’t include the Thawte SSL CA, and seem to not trust it even though they do trust the Thawte Root CA. So we have had to use our MDM application to push the intermediate CA into the device, else we would get “peer certificate” errors with TouchDown and even the native mail clients (unless we turn on the “ignore SSL errors” option, which is clearly NOT a good idea).
This post got me most of the way, however in an IIS environment, I found that I have to give the W3 Publishing Service access to both the Thawte Cert and the intermediate CAs.