Overview

While renewing the SSL certificate, the new certificate is being marked as Untrusted with Unable to get certificate CRL warning. The Kerio Connect Configuration -> SSL certificates UI is showing Invalid certificate yellow mark.

The invalid certificate warning does not generate any entry in the logs and the issuers (Certification Authorities) for old and new certificates are the same.

Prerequisites

Access to the Kerio Connect Administration

Diagnosis

In the case of intermediate CA, you need to provide both, the CRL of the root CA and the CRL of the intermediate CA (the full chain). You can do this by concatenating the CRLs of those or use the SSLCARevocationPath to point to a directory. For more information, please refer to Apache documentation.

Note: if you're using Let'sEncrypt provider, please refer to Let'sEncrypt documentation.

Solution

The correct combined SSL certificate should be placed into the Kerio Connect sslca directory. The Kerio Connect service should be stopped before this procedure. For more information, please refer to Installing Intermediate SSL certificates.

Confirmation

The new SSL certificate is shown as trusted.