Windows 7 and IE8 issues with new SSL

we have recently installed new Comodo SSL * certificate at our Juniper DX application accelerator, as a replacement for another Comodo expired one. The installaion was complete with the CA chain.

Most of our clients are communicating well with the application except for some Windows 7 / IE8 ones.

The error they are getting is: This website’s security certificate is not from a trusted source. The certificate they are getting is missing the whole CA chain path. The work around is by manully installing he intermdiate certificate “Comodo High Assurance Secure Server CA”, however, this cannot be a final solution as our users.

The application can be reached at:

The same certificate was installed at an Apache server and all the clients could connect with no problems.

Any ideas?


Looking at what the server is presenting:

Certificate chain
0 s:/C=LB/postalCode=n/a/ST=n/a/L=Beirut/streetAddress=Bliss Street/ University of Beirut/OU=Comodo PremiumSSL Wildcard/CN=*
i:/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High Assurance Secure Server CA

This tells us the chain is not installed. It needs to be installed as per the SSL/TLS RFCs (starting with 2246), the server must present the whole chain if the cert has one. This is why you are having a problem with some clients and not all.

Thank you Sal for your reply,

The chain is installed, we made sure of that. The problem is detected by some Windows 7 / IE8 users and not all. There are no reported problems with XP/IE8 or firefox.

We have also opened a case with Juniper in parallel to see their feedback.

Would getting a certificate from the root CA at comodo, and not from an intermediata CA, bypasses this problem all together?



The problem is exactly as I have described above. Your “server”, may have the chain installed, but it is not presenting the intermediates that are needed to chain up to a trusted root properly. Once installing the chain, you may need to reboot the device.

You’re going to get mixed results from clients/browsers if they have seen our certs before as browsers and other clients tend to cache certs they have seen before. This explains why your Firefox users are seeing no issue.

Would getting a certificate from the root CA at comodo, and not from an intermediata CA, bypasses this problem all together?

Yes it would, but we’re no longer doing this as it is considered unsafe. All major CAs have moved away from this model to protect themselves.

Thanks Sal, we will try rebooting the DX application accelerators and let you know.

Hello Sal,

we have upgraded the Juniper DX to the latest revision and rebooted the appliances. However, the problem persists.



Did you add the bundle as a CA Certificate or Certificate Chainfile?

Hello Sal, at the Juniper DX you copy the content of the server certificate, key file, and the chain file (bundle file) as 3 separate files.

The bundle is added as a chain file.



What version of the DX do you have?

Hi Sal, we are running version 3.5.9 on the DX3280.

Hello Sal, problem solved. :slight_smile:

We have merged the bundle file with the server certificate file to have a server certificate with the full list, then at the DX cluster config we have disabled “Autochain” and choose the fully chained server certificate file.

Before that, the DX with autochain enabled was trying from the certificate list it has to build itself the chain and it seems that it was not able to.

Thank you for all your help and the hints you provided that pointed us in the right direction.


Hi Sal

I am getting this problem with this website also

It displays fine in all other browsers exepct for Firefox. Can you advise?




The site is missing an Intermediate. (Comodo High-Assurance Secure Server CA). Once this file is installed on the server, Firefox will not have an issue with the server certificate and will be able to complete the chain of trust.

Hi Sal,

Recently our customer has bought Comodo SSL Certificate, and we have got the installation steps from internet and installed the Certificate successfully. The SSL is working on IE 6 fine, but it is not working properly on IE 7 and IE 8. The problem we are facing is our application web page Calendar is not opening properly (means getting Blank window). and Calendar is working with IP address URL (for example ) properly, but when we are trying to open by Domain URL (for example here domain is “” . We can access the web page but in the web page Calenadr is not opening. We have tried with “InternetOptions → Security → ActiveX Controls and plug-ins → Allow Scriptlets” by changing this to “Enable”, the value change for this option is (i.e enable/disable) working for IP address URL but not with Domain URL.

Please help in solving this issue, because this is very critical issue for us.

Thanks in advance.

Please register on our Support Site [ ] and then submit a ticket to the Support Team so that we may better assist you.