TBS-certificates' FAQ - Frequently Asked Questions > Install a certificate > Install a X509 / SSL certificate on a server ( Web / HTTP / OWA / Email / POP / IMAP / FTP ...) > Install a Microsoft IIS5 or IIS6 certificate :

Tweeter

Certificates

Comparison chart

Browsers

SSL EV

SSL Standard

SSL 128-bit

SSL wildcard

SSL SAN

Developer certificate

User certificate

Test certificates

PKI

The Trust Seals

Our products range

TBS X509

VeriSign / Symantec

Thawte

Comodo

GlobalSign

ChamberSign

GeoTrust

Partners

Client login

Open an account

FAQ

The Lab

Focus

VeriSign Trust Seal

Norton Secured Seal

As a VeriSign major partner, TBS internet is the first company in Europe to offer the VeriSign trust logo, the most recognized worldwide. An SSL certificate is no longer required as the seal is available after an organisation audit and comes with a malware detection system. More details...

Disable Thawte PCA (2036) root

Some Microsoft products (such as IIS servers) have a root certification authority named "Thawte Primary Root CA" expiring in 2036 that interferes with Thawte server or developer certificates.

It makes the CO-piBot test fail (Test a server certificate online ) even if the certification chain has been correctly installed. The problem being that instead of using the intermediary certificate "Thawte Primary Root CA (2020)", the server presents the root certificate "Thawte Primary Root CA (2036)".
To solve the issue the problematic root certificate must be disabled and the automatic update of the certification authorities deactivated (see Deactivate the certification authorities update on Windows 2003 and 2008).

Disable thawte Primary Root CA (2036)

1- Launch the MMC

Click Start then select Run and type mmc
Click on the File menu and select Add/Remove Snap in
Choose Add, select Certificates among the list of Standalone Snap-in and click Add
Choose Computer Account and click Next
Choose Local Computer and click Finish
Close the window and click OK on the previous window

2- Localize the certificate to disable

Deploy the hierarchy to go to Trusted Root Certification Authorities then Certificates

Among the list, spot the certificate

	Common Name - thawte Primary Root CA
	Expiry Date - 17th July 2036
	Thumbprint - 91 c6 d6 ee 3e 8a c8 63 84 e5 48 c2 99 29 5c 75 6c 81 7b 81

To disable the certificate, right-click on it and select properties
In the Certificate purposesarea, tick Disable all purposes for this certificate
Click OK. You can now stop the MMC.

3- Reboot the server

Under IIS6, stop and start the website can be enough, but generally the machine needs to be restart. Firstly stop and start the website then test your certificate with CO-piBot ( test a server certificate online), if it does not work, reboot the machine.

If it still does not work, go back to the second step and disable Thawte 2036 root and reboot the machine.

Anonymous [ settings | log in ]

Last edited on 04/11/2012 12:28:18 --- [search]