How to Add a Cross-Sign Certificate to the Chain on a Windows Platform (IIS)

 

Overview

 

By the end of this article, you will learn how to add a Cross Signed certificate ("CN=Sectigo Public Server Authentication Root R46/E46 signed by "Issuer=USERTrust RSA Certification Authority") on Windows, and remove the Self Signed Certificate ("CN-Sectigo Public Server Authentication Root R46/E46" "Issuer=Sectigo Public Server Authentication Root R46/E46") and properly bind your SSL certificate to a website using Microsoft IIS. This process is to ensure that your certificate chain is complete and trusted by most browsers.

 

What is a Cross-Sign Certificate?

 

CAs often control multiple root certificates, and generally the older the root, the more widely distributed it is on older platforms. To take advantage of this fact, CAs generate cross-sign certificates to ensure that their certificates are as widely supported as possible. A cross-sign certificate is where one root certificate is used to sign another.

 

Step 1: Import the Cross-Signing Certificate

To start configuring your SSL certificate chain in IIS Windows, you need to import the correct cross-sign intermediate certificate into the Intermediate Certification Authorities store.

 

Follow these steps to import the cross-sign intermediate certificate:

 

1. Press Win + R, type certlm.msc (for Current Machine) and press Enter.

 

 

2. In the Certificate Manager, navigate to Intermediate Certification Authorities → Certificates

 

 

 

 

3. Right-click on Certificates and choose All Tasks → Import

 

 

 

4. Follow the Certificate Import Wizard:
• Click Next
• Click Browse and select the downloaded Intermediate Certificate
• Choose Place all certificates in the following store
• Confirm Intermediate Certification Authorities is selected
• Click Finish

 

5. Download the appropriate cross-signing certificate from below:
• RSA Intermediate: Sectigo R46
• ECC Intermediate: Sectigo E46
6. Once imported, the certificate will appear under Intermediate Certification Authorities → Certificates

 

                                     

Step 2: Remove the Self Signed Root R46/E46 Certificate

 

To maintain a secure and trusted SSL certificate chain, ensure the removal of Self Signed

R46/E46 Certificates (if present).. 

Please refer to the following screenshots to identify the Self Signed R46/E46 Certificates (if present).

 

 

 

Sectigo Public Server Authentication Root R46 - Self Signed:

 

 

 

Sectigo Public Server Authentication Root E46 -Self Signed:

 

 

Instructions to follow to ensure certificate removal:

1. Open the Certificate Manager (certlm.msc)
2. Navigate to Trusted Root Certification Authorities → Certificates
3. Look for:
• Sectigo Public Server Authentication Root R46
• AND / OR Sectigo Public Server Authentication Root E46
4. Right-click the certificate and select Delete

 

 

 

5. Confirm when prompted

Step 3: Export the SSL Leaf Certificate as a PFX File

Your SSL certificate (also called the Domain/Leaf Certificate) with its private key as a .pfx file, required for import into IIS.

 

Instructions:

• Open Certificate Manager, it is usually certmgr.msc or certlm.msc (whichever has the certificate and private key)
• Go to Personal → Certificates
• Find your issued certificate (usually named after your domain)
• Right-click it and select All Tasks → Export
• In the Export Wizard:

• • Choose Yes, export the private key
  • Select .PFX and check the following boxes:
    • Include All certificates in the certification path
    • Export all the extended properties
    • Enable certificate privacy
  • Set a secure password when prompted
  • Select Browse and choose the directory, Name the File and Save the .pfx file to a secure location

Learn more about exporting the certificate as PFX file from Windows in detail:  Exporting the certificate as PFX file from Windows

 

Step 4: Import and Bind the Certificate in IIS

 

After exporting the PFX File from Certmgr.msc, you will need to import the newly created PFX File and bind the certificate to your site using IIS Manager by following these steps.:

 

1. Open IIS Manager
2. Select your server’s name in the left panel
3. Double-click on Server Certificates

 

 

 

4. In the Actions pane, click Import

 

 

 

5. Choose the .pfx file, enter the password, and click OK

 

 

 

6. Once imported, go to:
• Sites → Your Website
• Click on Bindings in the right panel

 

 

7. In the Site Bindings window:
• Click Add or Edit
• In Type, Choose https
• IP Address: Select All Unassigned or choose specific IP Address
• Port: Choose 443
• SSL Certificate: Choose the friendly name of your certificate

 

 

 

8. Click OK to bind the SSL certificate

 

Step 5: Restart IIS (This step is optional)

 

To apply the binding changes immediately, restart IIS.

 

Instructions:

• Open Command Prompt as Administrator
• Run the command: iisreset. This will restart the IIS and apply the changes in certificate binding immediately.

• Alternatively, you can restart the IIS using the Services console.

 

Step 6: Verify the Certificate Chain

 

After completing the above steps verify that the certificate chain is correctly configured using the following link: 

🔗 https://www.sslshopper.com/ssl-checker.html

 

 

 

 

The SSL Checker tool verifies whether the complete certificate chain including any intermediate or cross-sign certificates is correctly installed and trusted.

 

Point to Note: Adding the cross-signing certificate should help re-establish trust for the certificate on legacy devices that may not recognize new root certificates.

 

Related Articles: Exporting the certificate as PFX file from Windows

CSR installation in IIS

SSL installation in Microsoft IIS

Tags: