DST Root missing from p12


Hi All,

I’m trying to wrap all my generated PEM files into a single .p12 file that I can import into my secure appliance (it only accept p12 files), but while import seems OK, the SSL handshake fails when accessing the web server because the p12 didn’t contain the DST root certificate. I could download it manually from elsewhere (and I did, actually, to fix my issue)

But I’d like to do it properly so what am I missing ?

For your information, I’m creating my p12 using this command :

openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -certfile cert.pem -out certificate.p12

When importing my p12 file on my appliance, I do see my certificate and also the Let’s Encrypt Authority X3 certificate. Only the DST root certificate is missing

Thanks a lot !


Of course, it is not included in fullchain.pem. You could try to download it and append it to fullchain.pem before creating the pkc12 file. I don’t know if this is correct though, because the root certificate should be accepted by the browser without being delivered from the server.

See this page for the certificate: https://letsencrypt.org/certificates/


Oh. So it’s “normal”. Maybe it’s my secure appliance which is more “strict” than a regular web server and which refuse to serve a certificate if it is not aware of the full chain.

Anyway, I guess I’ll continue as I do now then.

Thanks !


Can you say the name of the appliance? It might help people in future with a similar problem.


Yes of course. It’s an ISAM appliance (IBM Security Access Manager) and the specific component of the appliance which is using the SSL certificate is WebSEAL (a reverse proxy).

In the end, I simply imported my p12 file from the “Personal Certificates” tab, then I import the DST root certificate from the “Signer Certificates tab”.

I grabbed the DST Root certificate from this page : https://www.identrust.com/certificates/trustid/root-download-x3.html

Last but not least, ISAM is expecting a valid PEM file. So I had to enclose the certificate within appropriate -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines


Yes, providing a root in a chain is discouraged by Internet standards because if the relying party already knows about the root, it won’t need it to be sent by the server, while if the relying party doesn’t know about the root, it won’t be persuaded to trust it by receiving it in the chain. This is in a sense what it means to be a root CA.

If IBM isn’t already including the DST root in its trusted CA bundle, it might be good to get in touch with IBM about that because this is a relatively widely used and relatively widely trusted root.


This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.