Overview

You may be seeing an error in the Kerio web admin GUI: “Untrusted certificate unable to get local issuer certificate.” after purchasing an SSL certificate that contains a Root CA Certificate and/or intermediate certificates. If that is the case, then this guide is for you!

You may have already tried to restart the server and upload the bundle certificates to /opt/kerio/mailserver/sslca directly, but the problem is unresolved. 

Solution

The issue occurs when the SSL certificate chain might be incomplete or the server does not recognize the root and intermediate certificates and should be solved by following the below steps:

1. Check to ensure you are not using bundled CA certificates (stitched in the same CRT file).
2. If you are using bundled CA certificates follow these steps:
   • Clear any bundled CA certificates from /opt/kerio/mailserver/sslca directory as it should only contain Intermediate certificates.
   • Create individual .crt files for each Intermediate certificate.
   • Follow the process in Installing Intermediate SSL certificates.
   • Restart Kerio Connect.
3. If the above fails, then please also proceed to manually add a trusted Root certificate by following the process in the article Adding Trusted Root Certificates to the Server. Follow the instructions relevant to your operating system.

Testing

Check to see if the error continues. Other steps to follow if the error persists:

• Contact the certification authority and ask for a fresh file to upload
• Proceed with Reaching Support and Opening a New GFI Support Ticket. The support team will require the Support information file, along with the SSL certificate that causes issues for analysis.