IIS certificate chain omits certs after depth1

Question

Hi, Has anyone observed that IIS (v10 maybe other versions also) does not seem to return the full certificate chain (even though the certificate includes the packaged full chain) to clients? IIS only seems to return the Certificate (depth0) and the issuing intermediate CA (depth1), but no further issuers in the the chain (in my case the CA Root (depth2). How can IIS be configured to return the full chain? TIA

Answer 1

Hi @Daniel Richards,
Your chain is correct. The chain should not include the root certificate, which is not considered an “intermediate certificate”. If you send the root certificate to a device that already trusts it, it does not provide any new information to the device. If you send a root certificate to a device that doesn't trust it, the device won't trust it just because it received it. Unlike intermediate certificates, root certificates must be pre-installed or they will be invalid.

---

If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.

Best regards,

Yurong Dai

Answer 2

To my understanding it seems that IIS based web servers only return depth0 and depth1 in any chain. So a leaf certificate (depth0) issued by and Intermediate (depth1), which itself was issued by a CA(depth2), will only ever return the chain to the client up to depth1. Other non-IIS web servers do return the full chain, I'm unsure why.