Home 
username password  
Welcome, Guest.
Your IP: 216.73.216.14
2025-10-26 19:21:41 
 Public Support
 import pfx file and intermediate  certificates
Bottom
 
Total posts: 4
 Author import pfx file and intermediate  certificates
Vincent Blanc

2018-02-20 16:59:23
Registered user
Hello,

Regarding the import of certificates with the ImportFromPFX function.
I am not sure that the intermediate certificate is imported correctly.
When I test my site (https://www.sslshopper.com/ssl-checker.html#hostname=test.ecole7.ch), I get a message:

"The certificate is not trusted in all web browsers. You may need to install an Intermediate / chain certificate to link to a trusted root certificate. Learn more about this error. The fastest way to this problem is to contact your SSL provider."

I specify that my .pfx file contains an intermediate certificate.

I said that the site is still recognized correctly by most browsers.

Thank you in advance for your assistance

Vincent Blanc
Henrick Wibell Hellström

2018-02-20 21:38:45
Registered user
Correct. In ST 4.0 you use the property TsmSimpleTLSInternalServer.LocalExplicitTrustByDefault = True to ensure all certificates in the PFX are loaded. You should combine this with TsmSimpleTLSInternalServer.IncludeRootInTLSChain = False in case the root certificate is also present in the PFX, and there are Mozilla clients (Firefox/Thunderbird) connecting to your server.

In ST 2.3 the easiest solution is to load the intermediate certificates separately, using the method TSimpleTLSInternalServer.LoadRootCertificatesFromFile. Previously, the recommended solution was to load the (actual) root certificate, prior to importing the PFX, but that is no longer an optimal solution, due to the short cuts in the Mozilla implementation.

The reason ST 2.3 works this way, was because the SSL/TLS solution was originally designed for applications where the clients authenticated themselves to the server using SSL/TLS client authentication. The ST 2.3 will by default use any loaded CA certificate as an acceptable CA for client certificate issuance, which might be undesirable in situations where the server certificate and the client certificates belong to strictly separated chains.
Vincent Blanc

2018-02-21 17:23:58
Registered user
Thank you for this information, everything is ok now.

Just a note on ST 2.3 (bug?):
  The LoadRootCertsFromFile function can not read the .crt format, but reads the .cer format correctly
  In the source you do not make the difference between the two formats (TlsInternalServer.pas line 1950):
   if (Ext = '.cer') or (Ext = '.crt') then begin

  It's not too bad, just use the .cer format only
Henrick Wibell Hellström

2018-02-21 17:38:08
Registered user
Yes, unfortunately that code is not really up to date with contemporary conventions, but technically, '.crt' just means certificate, just like '.cer' does. There has been Microsoft software that used '*.crt;*.cer;*.der' for binary DER certificates, as well as some other software that used '*.cer;*.crt;*.pem' for PEM encoded certificates.
Top

:: Written with and Powered by the RealThinClient SDK and StreamSec Tools 4.0::
Copyright (c) Danijel Tkalcec, StreamSec HB