Disable COMODO RSA Certification Authority (2038) root
The recommendations listed on this page are not up to date. This root is the current Comodo issuing root. This solution is to be used only in case of compatibility issues.
Some Microsoft products (such as IIS servers) have a root certification authority named "COMODO RSA Certification Authority" expiring in 2036 that interferes with COMODO RSA Certification Authority intermediate certificate expiring in 2020.
It makes the CO-piBot test fail (Test a server certificate online) even if the certification chain has been correctly installed. The problem being that instead of using the intermediate certificate "COMODO RSA Certification Authority (2020)", the server presents the root certificate "COMODO RSA Certification Authority (2038)".
To solve the issue, the problematic root certificate must be disabled and the automatic update of the certification authorities deactivated ( Deactivate the certification authorities update on Windows 2003 and 2008).
Disable COMODO RSA Certification Authority (2038) root
1- Launch the MMC
- Click Start then select Run and type mmc
- Click on the File menu and select Add/Remove Snap in
- Choose Add, select Certificates among the list of Standalone Snap-in and click Add
- Choose Computer Account and click Next
- Choose Local Computer and click Finish
- Close the window and click OK on the previous window
2- Locate the certificate to disable
- Deploy the hierarchy to go to Certificates
then Trusted Root Certification Authorities - Among the list, spot the certificate
Common Name - COMODO RSA Certification Authority Expiry Date - 18th January 2038 Thumbprint - AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4
- To disable the certificate, right-click on it and select properties
- In the Certificate purposes,
tick Disable all purposes for this certificate
- Click OK. You can now stop the MMC.
3- Reboot the server
Under IIS6, stop and start the website can be enough, but generally the machine needs to be restart. Firstly stop and start the website then test your certificate with CO-piBot ( test a server certificate online), if it does not work, reboot the machine.
If it still does not work, go back to the second step and disable COMODO RSA Certification Authority root and reboot the machine.
4 - Check your certificate installation with Co-Pibot:
On your certificate status page (on your Certificates center) you'll see a 'Check your certificate' button. Click it to test your certificate installation.
Or else, check with our tool CoPibot here:
https://www.tbs-certificates.co.uk/php/HTML/testssl_verif.php