I don’t see any options in Certify app for this, so now I guess I have to manually add some certificates. But I don’t understand which certificates should I manually add (root, cross-signed or what?) and at what part of the pem certificate?
That doesn’t seem right to me. The PKCS12 bundle should contain two certificates.
If you’re only seeing one certificate with that command, it means Certify the Web didn’t include an intermediate in the bundle. At that point, there’s nothing you can really do except fetch it manually.
Edit: I noticed that you downloaded the PFX from IIS. Can you try fetch it from Certify the Web instead?
Yes, the PFX from Certify The Web is a bundle containing the end-entity cert, the intermediates and the private key used for the certificate signing request (in this case that’s different for every cert). You can see the path to the current certificates PFX file under Show Advanced Options> Other Options and just copy that file and work with it directly.
The upcoming V5 of Certify The Web has a new Deployment Tasks UI feature which allows additional deployment tasks like exports to various formats and presets for popular servers like Apache and nginx as well as SSH/SFTP options for automated deployment to other services as part of the renewal process (optionally, they can also be deferred and run from the command line manually or as a scheduled task).
As an aside, what made you come to this forum for help instead of going to https://community.certifytheweb.com/ ? Just wondering if I need to make something more prominent on the website (depends how you found the app in the first place).