Overview
While renewing the SSL certificate, the new certificate is being marked as Untrusted with Unable to get certificate CRL warning. The Kerio Connect Configuration -> SSL certificates UI is showing Invalid certificate yellow mark.
The invalid certificate warning does not generate any entry in the logs and the issuers (Certification Authorities) for old and new certificates are the same.
Prerequisites
Access to the Kerio Connect Administration
Diagnosis
In the case of intermediate CA, you need to provide both, the CRL of the root CA and the CRL of the intermediate CA (the full chain). You can do this by concatenating the CRLs of those or use the SSLCARevocationPath to point to a directory. For more information, please refer to Apache documentation.
Note: if you're using Let'sEncrypt provider, please refer to Let'sEncrypt documentation.
Solution
- Stop the Kerio Connect server.
- If importing a new SSL certificate, backup and clear the
sslca
folder to ensure it only contains Intermediate certificates. - The correct combined SSL certificate should be placed into the Kerio Connect
sslca
directory. For more information, please refer to Installing Intermediate SSL certificates.
Confirmation
The new SSL certificate is shown as trusted.