JOIN OUR AFFILIATE NETWORK

Join our affiliate network and become a local SSL expert

♦ learn more about our program ♦
Menu
picture of tbs certificates
picture of tbs certificates
Certificates
Our products range
Partners
Support
Focus


Disable Thawte PCA (2036) root

The recommendations listed on this page are not up to date. This root is a SHA1 compatibility root used by Thawte. Disabling it to use a cross-signed equivalent would cause certificate chain issues.

Some Microsoft products (such as IIS servers) have a root certification authority named "Thawte Primary Root CA" expiring in 2036 that interferes with Thawte server or developer certificates.

It makes the CO-piBot test fail (test a server certificate online ) even if the certification chain has been correctly installed. The problem being that instead of using the intermediate certificate "Thawte Primary Root CA (2020)", the server presents the root certificate "Thawte Primary Root CA (2036)".
To solve the issue the problematic root certificate must be disabled and the automatic update of the certification authorities deactivated (see Deactivate the certification authorities update on Windows 2003 and 2008).

Disable thawte Primary Root CA (2036)

1- Launch the MMC

  • Click   Start then select   Run and type mmc
  • Click on the   File menu and select   Add/Remove Snap in
  • Choose   Add, select   Certificates among the list of   Standalone Snap-in and click   Add
  • Choose   Computer Account and click   Next
  • Choose   Local Computer and click   Finish
  • Close the window and click OK on the previous window

2- Localize the certificate to disable

  • Deploy the hierarchy to go to Trusted Root Certification Authorities then Certificates
  • Among the list, spot the certificate
    	Common Name - thawte Primary Root CA
    	Expiry Date - 17th July 2036
    	Thumbprint - 91 c6 d6 ee 3e 8a c8 63 84 e5 48 c2 99 29 5c 75 6c 81 7b 81
    	
  • To disable the certificate, right-click on it and select properties
  • In the Certificate purposesarea, tick Disable all purposes for this certificate
  • Click OK. You can now stop the MMC.

3- Reboot the server

Under IIS6, stop and start the website can be enough, but generally the machine needs to be restart. Firstly stop and start the website then test your certificate with CO-piBot ( Test a server certificate online), if it does not work, reboot the machine.

If it still does not work, go back to the second step and disable Thawte 2036 root and reboot the machine.