Go Daddy Secure Certificate Authority - G2: What You Need to Know
I am aware there is a class file somewhere from Sun that will download and setup the cert in the local keystore so java will trust it... but this is not only impractical for an app that will be deployed to multiple systems, but is just silly for a Godaddy signed cert.
Just as an update - This is indeed a GoDaddy problem (I've had lengthy support emails with them). They have 2 CA servers, one called Class 2 CA and the other called G2 CA. Their Class 2 CA signs all SHA-1 certificates, while the G2 CA signs all their SHA-2 certificates. This is where the problem lies - GoDaddy has not added their newer G2 CA server to the default java truststore - causing default java installations to not trust it's authority, and hence, does not trust your chained certificate. The work-around until GoDaddy adds the G2 CA server to the default truststore is to simply rekey your cert using SHA-1 as-to get a cert signed by the Class 2 CA server. Rekeying is free for GoDaddy customers until your cert expires (obviously).
download go daddy secure certificate authority - g2
This is where the problem lies - GoDaddy has not added their newer G2 CA server to the default Java truststore/keystore - causing default Java installations to not trust it's authority, and hence, does not trust your chained certificate.
According to GoDaddy support, as of July 2014, the correct root certificate was included in recent versions of Java 8, and in September 2014, Wayne Thayer of GoDaddy also said that the certificate "is scheduled to be added to Java in the next few months". I have checked the cacerts file in Java 8 for Mac OS downloaded from here, and it does indeed contain the SHA2 root certificate.
To get Godaddy certificates to work in Java with SHA2 you will need to use their cross certificate in your chain to chain the G2(SHA2) root to the G1(SHA1) root until Java decides to update their repository. The Cross Certificate bundle can be downloaded here:
Mr. Fixer is right. Install the "GoDaddy G1 to G2 Cross" certificate in your certificate bundle file along with the intermediate certificate. This allows GoDaddy SHA-2 certificates to be trusted by any client that recognizes the SHA-1 roots including Java. You can get this file from Once this is installed, Java will build a certificate chain from your certificate to the "GoDaddy Secure Server Certificate (Intermediate Certificate)" to the "GoDaddy G1 to G2 Cross Certificate" to the GoDaddy SHA-1 root. You can also find a bundle file containing the cross certificate in our repository. One last note on this option: The signatures on root certificates aren't checked so even though you're relying on a SHA-1 root, this is just as secure as a full SHA-2 certificate chain.
In theory, your software should work - since the intermediate certificate is signed by the class 2 authority and you have the class 2 authority in the default JDK certificate store. However, I have found that it just does not work unless you also add the intermediate certificate to your certificate store. Here is a link to a blog post describing a similar experience:
Hello!I have installed a GoDaddy SSL cert into my firewall (T50 running 12.0) and it works fine for the authentication page on port 4100 as well as for the SSLVPN. I just re-keyed it using a CSR from the T50.However, when I test it using multiple external sites such as Opens a new window, it shows a problem with the trust chain. That site says "Trusted by Microsoft? No (unable to get local issuer certificate) UNTRUSTED" and "Trusted by Mozilla? No (unable to get local issuer certificate) UNTRUSTED." Others have similar wording and they look like the problem is the "Go Daddy Secure Certificate Authority - G2" cert.Does anyone else have a Firebox with a GoDaddy SSL cert that they can test? I think it is a red herring and would like to see what results others get.There were four certs in the GoDaddy download, and reviewing each one showed this order:Go Daddy Class 2 Certification AuthorityGo Daddy Root Certificate Authority - G2Go Daddy Secure Certificate Authority - G2mail.greggspublicdomain.netThere were three certs in the bundle, plus my actual cert, and I installed them from bottom of the bundle cert file to top (opened using Notepad++), then installed my cert:
More info:Note the first test site's comment that there is an "Extra download" for the "Go Daddy Secure Certificate Authority - G2" cert. That is the third one of the cert bundle to be imported...the top cert in the file.GoDaddy SSL certs already in the Firebox (factory default):Trusted CA for Proxies, Go Daddy Secure Certification AuthorityTrusted CA for Proxies, Go Daddy Root Certificate Authority - G2Trusted CA for Proxies, Go Daddy Class 2 Certification AuthorityIt works for what I need (the authentication page and SSLVPN), but shows errors when tested, leading me to believe I missed something. Opens a new window"The certificate is not trusted in all web browsers. You may need to install an Intermediate/chain certificate to link it to a trusted root certificate."It also shows "Extra download" for the "Go Daddy Secure Certificate Authority - G2" cert. Opens a new window"Trusted by Microsoft? No (unable to get local issuer certificate) UNTRUSTED""Trusted by Mozilla? No (unable to get local issuer certificate) UNTRUSTED" Opens a new window"This server's certificate chain is incomplete. Grade capped to B.""Trusted Yes""Additional Certificates (if supplied)Certificates provided 1 (1359 bytes)Chain issues Incomplete"Digging further, the clue I am getting is that "unable to get local issuer certificate" may be the key. I don't know if the SSL testing sites are trying to pull that cert from my Firebox, or if they are missing it on their own systems and cannot complete the chain. When viewing the mail.greggspublicdomain.net cert file, it shows "Issued by: Go Daddy Secure Certificate Authority - G2" and I think that is the "local issuer certificate" referenced by the Opens a new window tester.Going to my port 4100 authentication page in Chrome from my workstation behind the box, and hitting Ctrl-Shift-I to view the cert, it shows "The connection to this site is using a valid, trusted server certificate issued by Go Daddy Secure Certificate Authority - G2." Chrome behind the Firebox can see that "Go Daddy Secure Certificate Authority - G2" cert, but I am wondering if the external testing sites are blocked, or if it is indeed on their end. I tested with my laptop from outside and Chrome sees the "Go Daddy Secure Certificate Authority - G2" issuer with no problems and works perfectly. So, it ***appears*** that the external sites cannot see the "Go Daddy Secure Certificate Authority - G2" issuer cert. I just don't know WHY they cannot see it.
The three Cs mean that the certificate in the DB is an authority for servers, e-mail and code signing. certutil docs say, that using 'C' for intermediate certificates is discouraged, and I didn't bother to check if that 'C' is needed at all. But having that doesn't break anything now the setup is done.
How to download GoDaddy SSL certificate for your website
GoDaddy secure certificate authority - g2 installation guide
GoDaddy SSL certificate bundle - g2 download link
What is GoDaddy secure server certificate (intermediate certificate) - g2
GoDaddy class 2 certification authority root certificate - g2 details
GoDaddy PKCS7 certificate intermediates bundle (for Windows IIS) - g2 instructions
GoDaddy G1 to G2 cross certificate download and installation
GoDaddy certificate bundle for Microsoft Windows driver signing - g2
GoDaddy organizational validation (OV) SSL certificate - g2 features
GoDaddy extended validation (EV) SSL certificate - g2 benefits
GoDaddy G2 code signing intermediate certificate download
GoDaddy secure extended validation code signing CA - g2 information
How to verify GoDaddy secure certificate authority - g2 on your browser
GoDaddy SSL certificates comparison and pricing - g2 plans
How to renew GoDaddy SSL certificate - g2 steps
How to troubleshoot GoDaddy SSL certificate issues - g2 solutions
How to transfer GoDaddy SSL certificate to another server - g2 process
How to cancel GoDaddy SSL certificate and get a refund - g2 policy
How to upgrade from GoDaddy standard SSL to OV or EV SSL - g2 options
How to use GoDaddy UCC / SAN SSL certificate for multiple domains - g2 tutorial
How to use GoDaddy wildcard SSL certificate for subdomains - g2 example
How to generate a CSR (certificate signing request) for GoDaddy SSL certificate - g2 method
How to validate your domain name for GoDaddy SSL certificate - g2 requirements
How to install GoDaddy SSL certificate on WordPress - g2 plugin
How to install GoDaddy SSL certificate on cPanel - g2 tool
How to install GoDaddy SSL certificate on Plesk - g2 wizard
How to install GoDaddy SSL certificate on Apache - g2 configuration
How to install GoDaddy SSL certificate on Nginx - g2 directives
How to install GoDaddy SSL certificate on IIS - g2 manager
How to install GoDaddy SSL certificate on Tomcat - g2 keystore
How to install GoDaddy SSL certificate on Node.js - g2 module
How to install GoDaddy SSL certificate on AWS - g2 console
How to install GoDaddy SSL certificate on Azure - g2 portal
How to install GoDaddy SSL certificate on Google Cloud Platform - g2 dashboard
How to install GoDaddy SSL certificate on Heroku - g2 CLI
How to install GoDaddy SSL certificate on Shopify - g2 settings
How to install GoDaddy SSL certificate on Wix - g2 editor
How to install GoDaddy SSL certificate on Squarespace - g2 panel
How to install GoDaddy SSL certificate on Weebly - g2 builder
How to install GoDaddy SSL certificate on Magento - g2 admin
How to install GoDaddy SSL certificate on Joomla - g2 backend
How to install GoDaddy SSL certificate on Drupal - g2 interface
How to install GoDaddy SSL certificate on PrestaShop - g2 dashboard
How to install GoDaddy SSL certificate on OpenCart - g2 menu
How to install GoDaddy SSL certificate on WooCommerce - g2 tab
I downloaded the zip-File from godaddy. If I import the .pem-File oder a converted .cer-File, the certificate can be imported but will be shown with e red X "expeted issuer". If I import a .p7b-File the new certificate is listet well with a green check. But I cannot select the certificate für User Portal oder SSL-VPN.
I found the issue. When you download the ZIP-File from GoDaddy you'll have the gd_bundle_g2-g1.crt File with the CA Informations. I double-clicked on a windows PC, Details -> Save to File -> Choose "DER"-Format and saved this to the disc. I added this new file "gd_bundle_g2-g1.cer" as New "certificate authoritie" in Sophos and now it works.
The SSL protocol mandates that the SSL Server provide the client with a server certificate for the client to perform server authentication. Cisco does not recommend use of a self-signed certificate because of the possibility that a user could inadvertently configure a browser to trust a certificate from a rogue server. There is also the inconvenience to users to have to respond to a security warning when it connects to the secure gateway. It is recommended to use trusted third-party CAs to issue SSL certificates to the ASA for this purpose.
If you allow a certificate to expire, the certificate becomes invalid, and you will no longer be able to run secure transactions on your website. The Certification Authority (CA) will prompt you to renew your SSL certificate prior to the expiration date.
This error message suggests that the client device does not have the required root certificate/intermediate certificate to establish trust with the certificate authority who issued the NetScaler Gateway server certificate.
Download or obtain the SSL root certificate/intermediate certificate (.crt/.cer) file issued by your SSL certificate provider. Root certificate/intermediate certificate can be downloaded from your SSL certificate provider's website or can be obtained on request. Usually root certificate is present in the certificate bundle provided by your SSL service provider along with intermediate and server certificates.
The system administrator might need to contact the certificate authority who sold the faulty certificate and inform them that the certificate is in violation of RFC 3280. Also ask the certificate authority to issue a new certificate that contains the following key usage value in addition to any other required values:Server Authentication (1.3.6.1.5.5.7.3.1)
To mitigate, you can append the intermediate certificate to Firebox's CA bundle. Import it as a General Use certificate via FSM / View / Certificates / Import Certificate. Link to the certificate from GoDaddy's certificate repository: -ccp.godaddy.com/repository/gdig2.crt.pem
If you prefer to create a separate management certificate for each HA node, then see CTP George Spiers How to secure management access to NetScaler and create unique certificates in a highly available setup.