FAQs

FAQsWindows

How to add a cross-sign certificate to the chain on Windows platform (IIS)

Updated on June 13, 2026

Overview

By the end of this article, you will be able to install a cross-sign certificate on a Windows server, remove the self-signed Sectigo Public Server Authentication Root R46/E46, and bind your SSL certificate in Microsoft Internet Information Services (IIS) so the certificate chain is complete and trusted by most browsers. The article first explains what a cross-sign certificate is, then walks through six actions: importing the cross-sign intermediate certificate, removing or disabling the self-signed root, exporting your SSL leaf certificate as a Personal Information Exchange (PFX) file, importing and binding the certificate in IIS, restarting IIS, and verifying the chain. It covers both the RSA (Rivest–Shamir–Adleman) and ECC (Elliptic Curve Cryptography) intermediate certificates, and refers to a certificate’s Common Name (CN) when identifying which certificate to act on.

What is a cross-sign certificate?

A cross-sign certificate is a certificate in which one root certificate is used to sign another, so a newer root can be trusted through an older, more widely distributed one. Certificate Authorities (CAs) often control multiple root certificates, and generally the older the root, the more widely it is distributed on older platforms. CAs issue cross-sign certificates so their certificates are trusted as widely as possible, including on legacy devices that may not yet recognize a new root.

Prerequisites

Administrator access to the Windows server.

The issued SSL certificate and its private key available on the server.

The correct Sectigo cross-sign intermediate certificate downloaded: the RSA intermediate (Sectigo R46) or the ECC intermediate (Sectigo E46).

Access to the Certificate Manager snap-ins (certlm.msc and certmgr.msc) and to IIS Manager.

Steps to add the cross-sign certificate

Step 1 — Import the cross-sign intermediate certificate

This step adds the correct cross-sign intermediate certificate to the Intermediate Certification Authorities store so Windows can build a complete chain. First download the correct intermediate for your certificate type: the RSA intermediate (Sectigo R46) or the ECC intermediate (Sectigo E46).

Press Win + R, type certlm.msc, and press Enter to open the Certificate Manager for the local machine.

Fig 1: Certificate Manager (certlm.msc) showing the local machine certificate stores.

Navigate to Intermediate Certification Authorities → Certificates.

Fig 2: Intermediate Certification Authorities store expanded in Certificate Manager.

Right-click Certificates and choose All Tasks → Import.

Fig 3: Context menu showing “All Tasks → Import” option in Certificate Manager.

In the Certificate Import Wizard, click Next, click Browse, and select the downloaded intermediate certificate.

Choose Place all certificates in the following store, confirm Intermediate Certification Authorities is selected, and click Finish.

After importing, the certificate appears under Intermediate Certification Authorities → Certificates.

Fig 4: Certificate successfully imported into the Intermediate Certification Authorities store.

Step 2 — Remove or disable the self-signed Root R46/E46 certificate

This step removes (or disables) the self-signed Sectigo Public Server Authentication Root R46/E46, if present, so the server uses the cross-signed chain instead of the self-signed root. Use the screenshots below to identify the self-signed R46 and E46 certificates.

Fig 5: Certificate Manager showing the self-signed “Sectigo Public Server Authentication Root R46” certificate in the Trusted Root Certification Authorities store.

Fig 6: Certificate Manager showing the self-signed “Sectigo Public Server Authentication Root E46” certificate in the Trusted Root Certification Authorities store.

To remove the self-signed certificate:

Open the Certificate Manager (certlm.msc).

Navigate to Trusted Root Certification Authorities → Certificates.

Locate Sectigo Public Server Authentication Root R46 and/or Sectigo Public Server Authentication Root E46.

Fig 7: Trusted Root Certification Authorities store displaying Sectigo root certificates.

Right-click the certificate, select Delete, and confirm when prompted.

Fig 8: Certificate context menu showing the Delete option.

Alternatively, instead of deleting the self-signed root, disable it:

Open certlm.msc.

Navigate to Trusted Root Certification Authorities → Certificates.

Right-click the certificate and select Properties.

Select Disable all purposes for this certificate.

Restart the server, then verify whether the certificate chain error is resolved.

Fig 9: Certificate Properties window with “Disable all purposes for this certificate” selected.

Step 3 — Export the SSL leaf certificate as a PFX file

This step exports your SSL certificate (also called the domain or leaf certificate) together with its private key as a Personal Information Exchange (PFX) file, which is required to import the certificate into IIS.

Open the Certificate Manager that holds the certificate and its private key (certmgr.msc or certlm.msc).

Go to Personal → Certificates.

Find your issued certificate (usually named after your domain), right-click it, and select All Tasks → Export.

In the Certificate Export Wizard, choose Yes, export the private key, then select the PFX format.

Enable Include all certificates in the certification path, Export all extended properties, and Enable certificate privacy.

Set a secure password when prompted.

Click Browse, choose a directory, name the file, and save the .pfx file to a secure location.

For more detail, see the related article “Exporting the certificate as a PFX file from Windows.”

Step 4 — Import and bind the certificate in IIS

This step imports the PFX file into Internet Information Services (IIS) and binds the certificate to your website.

Open IIS Manager and select your server’s name in the left panel.

Double-click Server Certificates.
Fig 10: IIS Manager homepage with Server Certificates option highlighted.

In the Actions pane, click Import, choose the .pfx file, enter the password, and click OK.

Fig 11: Server Certificates view in IIS Manager showing certificate management options.

Fig 12: Import Certificate dialog in IIS showing PFX file selection and password entry.

Expand Sites and select your website.

Click Bindings in the right panel, then click Add (or select an existing binding and click Edit).
Fig 13: IIS Manager Server Certificates view with the Import action selected in the Actions pane.

Set Type to https, set IP Address to All Unassigned or a specific IP address, and set Port to 443.

Under SSL Certificate, choose the friendly name of your certificate.

Click OK to bind the SSL certificate.

Fig 14: Site Bindings dialog in IIS Manager with Type set to https and Port set to 443.

Step 5 — Restart IIS (optional)

This optional step applies the binding changes immediately; otherwise they apply on the next IIS restart.

Open Command Prompt as an administrator.

Run iisreset to restart IIS and apply the binding changes immediately.

Alternatively, restart IIS from the Services console.

How to verify the certificate chain

To confirm the chain is configured correctly, use an SSL checker tool such as the SSL Checker at https://www.sslshopper.com/ssl-checker.html. The tool verifies whether the complete certificate chain — including any intermediate or cross-sign certificates — is correctly installed and trusted. Adding the cross-sign certificate should re-establish trust on legacy devices that may not recognize new root certificates.