Currently, the only supported sequence is server cert, followed by intermediate CA(s), followed by root CA. We need to allow reversed order as well, with the root CA first, followed by intermediates, and the the server cert at the bottom. Microsoft generates them this way by default and it's a pain to force things in the opposite order to get them to work with ZCM.

Some people have suggested to just edit the cert file to reverse the order but then the key doesn't match if the cert was externally generated with a key pair rather than from a CSR.

Comments