6

On my Github enterprise when I install the SSL certificate with the key its displaying an error message:

"Github ssl cert The certificate is not signed by a trusted certificate authority (CA) or the certificate chain is missing intermediate CA signing certificates."

I was given from our certification authority team 4 certificates.

  1. SSL certificate : github.pem
  2. A set of 3 CA certificates : root, subca and subca2

On my Github enterprise management console, it needs 2 entries

  1. A x509 SSL certificate
  2. Unencrypted key

I have tried github.pem key alone and with different combination by concatenating CA certificates, but its failing always with the same error.

Is there a pattern to concatenate the certificate?

Any clue how i can resolve this?

Thanks in advance.

Peter Reid
  • 5,139
  • 2
  • 37
  • 33
Biju
  • 61
  • 1
  • 3
  • Please post the URL you are using to connect to the server, and post the output of `openssl s_client -connect : -tls1 -servername | openssl x509 -text -noout`. Do so by adding it to your question by clicking *Edit* (and don't post it as a comment). Otherwise, we can't reproduce it and there's not enough information to help troubleshoot it. – jww Jul 08 '17 at 07:08
  • having the same issue. Did you solve it ? – Drazen Aug 21 '17 at 14:28

2 Answers2

6

Please abide the following steps to add 3 certificates to your .pem file:

  1. Open your domain certificate pem file in Notepad ++.
  2. Add intermediate (DigiCertCA2.pem) certificate under Domain certificate.
  3. Add root certificate (TrustedRoot.pem) to your domain certificate.
  4. Save the .pem file that have the following 3 certificates (domain , intermediate, root).
  5. Upload the modified certificate.pem file and the private key.
  6. click on Save Settings.
Omar Khaled
  • 401
  • 6
  • 11
1

I had the same issue. When trying to load the PEM and Key files to GitHub Enterprise I got the same message. The cert was created using the exact same methods as I have done before, but was failing.

Github ssl cert The certificate is not signed by a trusted certificate authority (CA) or the certificate chain is missing intermediate CA signing certificates.

Steps I took:

  1. Created a cert for the server (webserver with Private Key)
  2. Exported from my users personal store (PFX including all certs in the path and export all extended properties)
  3. C:\OpenSSL-Win64\bin> openssl.exe pkcs12 -in git_key_included.pfx -nocerts -out priv-key.pem -nodes
  4. C:\OpenSSL-Win64\bin> openssl.exe pkcs12 -in git_key_included.pfx -nokeys -out cert.pem
  5. C:\OpenSSL-Win64\bin> openssl rsa -in priv-key.pem -out server.key

I eventually figured it out by opening the PEM using Notepad++. The openssl commands work fine on the old exported cert, but swap around the ordering of the certs on the new exported cert. The broken cert had:

Primary SSL certificate Root certificate Intermediate certificate

Instead of the correct ordering of:

Primary SSL certificate Intermediate certificate Root certificate

So I swapped them around and it worked.

jok5r
  • 27
  • 1
  • 4