HOW TO CREATE A FULL-CHAIN PFX FROM YOUR SSL FILES

You have the .crt, .p7b, and ca-bundle files — good.

Since your API is failing with “certificate signed by unknown authority”, it means your server is not presenting the full chain (Root + Intermediate + Server cert).

To fix this, you must re-create a proper PFX that contains the entire chain and then re-import it into IIS.

Below are the exact steps.

HOW TO CREATE A FULL-CHAIN PFX FROM YOUR FILES

You have:

backoffice_sbmcp1_co_in.crt → Server certificate
backoffice_sbmcp1_co_in.ca-bundle → Intermediate + Root certificates
backoffice_sbmcp1_co_in.p7b → Certificate chain (can also be used to import intermediates)

The easiest correct method is:

METHOD 1: Use MMC to import chain + export correct PFX

STEP 1 — Open MMC

Press Win + R → type mmc → Enter
Go to File → Add/Remove Snap-in
Add Certificates (Computer account)
Expand:

Certificates (Local Computer)
 └─ Personal
     └─ Certificates

STEP 2 — Import certificates properly

2A — Import the server certificate (.crt)

Right-click Personal → Certificates → All Tasks → Import → select:

backoffice_sbmcp1_co_in.crt

Finish the wizard.

2B — Import the CA bundle (Root + Intermediate)

You must import the CA bundle into two locations:

→ Import into "Intermediate Certification Authorities"

Right-click:

Certificates (Local Computer)
 └─ Intermediate Certification Authorities
     └─ Certificates

Import:

backoffice_sbmcp1_co_in.ca-bundle

→ Import into "Trusted Root Certification Authorities"

Right-click:

Certificates (Local Computer)
 └─ Trusted Root Certification Authorities
     └─ Certificates

Import the same ca-bundle.

STEP 3 — Export a NEW PFX containing the full chain

Go back to:

Certificates (Local Computer)
 └─ Personal
     └─ Certificates

Find your certificate → right-click → All tasks → Export Choose:

Yes, export the private key
Include all certificates in the certification path (IMPORTANT)
Set password
Save as new_fullchain.pfx

METHOD 2: Use OpenSSL (if needed)

If you want to build the full chain manually:

cat backoffice_sbmcp1_co_in.crt backoffice_sbmcp1_co_in.ca-bundle > fullchain.crt

Then convert to PFX:

openssl pkcs12 -export -out new_fullchain.pfx -inkey your_private_key.key -in fullchain.crt

(Only works if you still have the private key!)

FINAL STEP — Import full chain PFX into IIS

Open IIS Manager
Go to Server Certificates
Click Import
Choose new_fullchain.pfx
Go to Bindings for your site
Select HTTPS → Edit → Choose the newly imported certificate
Restart site / IIS:
```
iisreset
```

Why your API was failing

Your first PFX was created from IIS, which only exported: ✔ server certificate ✘ NOT intermediates ✘ NOT root

So the API client saw an incomplete chain → “unknown authority”.

PreviousLet's Encrypt SSL with Apache (Reverse Proxy) + Tomcat using win-acme NextBackup

Last updated 18 days ago

Was this helpful?