Entrust Certificate Services Support Knowledge Base

Audience: General
Last Modified: 2010-06-25 09:46:34.0

TN 7870 - How do I install the Entrust 2048 chain in IIS?

Question:

 

How do I install the Entrust 2048 chain certificate in IIS?

 

Answer:

 

By default, clients should have the new Entrust 2048 root CA certificate installed in their trusted root certification store. However, some clients might require you to build your certificate trust using the older Entrust 1024 root CA certificate.

 

To re-chain your certificate to the older Entrust 1024 root CA, you need to remove the Entrust 2048 root CA certificate from your server's trusted Root store, and install the Entrust 2048 Chain certificate in the intermediate certificate store.

 

Note: For the certificate path re-chaining to work, you must have the Entrust L1C chain certificate installed in the intermediate certification authority in your server. If you have already installed the Entrust L1C chain certificate, skip to Step 3.

 

1. To install the Entrust L1C chain certificate, download the chain certificate from: https://www.entrust.net/downloads/binary/entrust_l1c.cer. 
   
    
2. Install the Entrust L1C chain certificate by following the chain certificate installation instructions available at: http://www.entrust.net/knowledge-base/technote.cfm?tn=8166.
   
    
3. To install the Entrust 2048 chain certificate, download the 2048 chain certificate from: https://www.entrust.net/downloads/binary/entrust_2048_chain_root.cer.
   

4. Install the Entrust 2048 chain certificate by following the chain certificate installation instructions available at: http://www.entrust.net/knowledge-base/technote.cfm?tn=8166. 

5. Verify that both the Entrust L1C chain and the Entrust 2048 chain certificates are installed correctly in the local computer’s Intermediate Certification Authority directory in MMC.
   
   
   
    
6. Remove the Entrust 2048 root CA’s certificate Entrust.net Certification Authority (2048) from the trusted root certification authority in MMC.
   To remove the certificate, right-click the certificate and select Delete.
   
   
   

Note: Trusted root certificates are updated automatically by Windows. This means that you have to check after every update and remove the Entrust 2048 root CA’s certificate from the Trusted Root Certification Authorities in MMC.

An alternative solution is to disable to automatic root certificate updates in Windows.

 

To turn off Automatic Root Certificates Update in Windows 2003 and earlier:

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

1. From the Start menu, select Control Panel.
2. Select Add or Remove Programs.
3. Select Add/remove windows Components from the left menu.
4. In the Windows Components wizard, locate and deselect the Update Root Certificate component.








To turn off Automatic Root Certificates Update in Windows 2008:

 

To perform this procedure, you must be a member of the local Administrators group, or you must have been delegated the appropriate authority.

 

1. Click Start, and then click Run.
2. Type gpedit.msc. Click OK.
3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and click Continue.
4. Double-click Administrative Templates, double-click System, double-click Internet Communication Management, and then select Internet Communication settings.
5. Double-click Turn off Automatic Root Certificates Update, click Enabled, and then click OK.
6. Close the Local Group Policy Editor.

 

Note: You can use Group Policy to set policy settings that apply across a given site, domain, or organizational unit in Active Directory Domain Services.



 

Affected Products:

• Entrust Certificate Services 2 Year SSL Certificate Version Not Applicable Language Not Applicable Platform Not Applicable