CSS 11500 and SSL Certificates with Extended Validation

Unanswered Question
Apr 22nd, 2009
User Badges:

Hi guys,

can me somebody explain how to import Verisign certificate (SSL Certificates with Extended Validation)?

I done this many times, but today I have problem with it. This is first time, that I import SSL certificate with "extended validation", but I think technique is the same. I'm right?

ok, step by step:

1. I sent CSR to verisign

2. I got certificate for my domain in x509 format. I don't know what the format of the file was, but all certificates (all cert.chain) was in one part:


asdadas all 4 certificates <cut>


I have import this file to browser and export as 'chain'. I got one x509 format file, with 4 certificates:


my service <cut>



CA EV certificate <cut>



CA certificate <cut>



ROOT-CA certificate <cut>


3. CSS SSL configuration is ok. I done this many times. Certificate and private key verification is ok. But client browser shows:

"my.domain.com uses an invalid security certificate. The certificate does not come from a trusted source. (Error code: sec_error_untrusted_cert)"

ok, maybe intermediate certificate is missing (well-known problem: http://www.cisco.com/en/US/products/hw/contnetw/ps792/products_configuration_example09186a00801e8071.shtml)

by the way, this intermediate certificate (Secure Site Pro with EV Root bundle: https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657) is included in the certificate.

I tried add it to the end of the certificate, but the same result.

Where is the problem? Thanks for help.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Gilles Dufour Wed, 04/22/2009 - 23:45
User Badges:
  • Cisco Employee,


EV certificates have been tested with the CSS and they work fine.

You also seem to know the procedure to install chained certificates.

So, I can only suggest to open a service request with the TAC and provide them your key and certs so that we can try it in our lab.



This Discussion