Ask a Question

Solution ID : SO14807

Error: "Unrecognized Certificate Authority Signature" when installing certificate into key ring

Problem

When you install a signed certificate into a key ring file, the following message appears:

"Unrecognized Certificate Authority signature"
 

 

Cause

The server certificate cannot be installed in your server key ring because the signature is from a CA that is not listed as a Trusted Root. This is due to one of the following:

1. A certificate for the signing CA is not present in your server key ring.
2. A certificate for the signing CA is present in your server key ring, but it is not marked as a Trusted Root. You can install the server certificate anyway, or you can exit for now to install the CA certificate in your server key ring and mark it as a Trusted Root.

Solution

To resolve this error, perform the following steps:
 
  1. Go to www.thawte.com/roots to download the root you require. Create a new text file (example.txt) and paste the certificate information into it, save and close.
  2. Rename the text file to example.cer.
  3. Open example.cer file, Windows automatically associate it as an X.509 certificate and opens it with the Certificate Viewer.
  4. Switch to the "Certification Path" tab. This tab shows the hierarchy of the certificate screen capture of Certificate dialog

     
     
  5. Choose the CA and click "View Certificate." You see a new Certificate dialog for the CA itself.
  6. Switch to the "Details" tab, click "Copy to File." This opens the Certificate Export Wizard.
  7. Click "Next." Choose "Base-64 encoded X.509 (.CER)." Click "Next." Choose a file name (c:\exampleca.cer). Click "Next." Click "Finish."
 
After you have the root certificate, perform the following steps:
 
  1. 1. Open the Server Certificate Administration database. Choose step 3 "Install Trusted Root Certificate into Key Ring"
     
  2. Fill out the fields as shown in the screen capture below, changing the kyr file to the correct name (which should be the correct name by default). The Certificate Label is purely informational, a best practice is to match it to the name of the CA issuer's common name. 

     
     
  3. Click "Merge Trusted Root Certificate into Key Ring" and follow the prompts. This step imports the trusted root.
    * If you clicked OK when first receiving the "Unrecognized Certificate Authority signature" message, then the key file ring is ready and all steps are complete.
    * If you clicked Cancel to the message dialog, you need to repeat "Install Certificate into Key Ring" in the Server Certificate Administration database.