Error: "Unrecognized Certificate Authority Signature" when installing certificate into key ring

Solution ID:    SO14807    Updated:    07/04/2016


When you install a signed certificate into a key ring file, the following message appears:

"Unrecognized Certificate Authority signature"



The server certificate cannot be installed in your server key ring because the signature is from a CA that is not listed as a Trusted Root. This is due to one of the following:

1. A certificate for the signing CA is not present in your server key ring.
2. A certificate for the signing CA is present in your server key ring, but it is not marked as a Trusted Root. You can install the server certificate anyway, or you can exit for now to install the CA certificate in your server key ring and mark it as a Trusted Root.


To resolve this error, perform the following steps:
  1. Go to to download the root you require. Create a new text file (example.txt) and paste the certificate information into it, save and close.
  2. Rename the text file to example.cer.
  3. Open example.cer file, Windows automatically associate it as an X.509 certificate and opens it with the Certificate Viewer.
  4. Switch to the "Certification Path" tab. This tab shows the hierarchy of the certificate screen capture of Certificate dialog

  5. Choose the CA and click "View Certificate." You see a new Certificate dialog for the CA itself.
  6. Switch to the "Details" tab, click "Copy to File." This opens the Certificate Export Wizard.
  7. Click "Next." Choose "Base-64 encoded X.509 (.CER)." Click "Next." Choose a file name (c:\exampleca.cer). Click "Next." Click "Finish."
After you have the root certificate, perform the following steps:
  1. 1. Open the Server Certificate Administration database. Choose step 3 "Install Trusted Root Certificate into Key Ring"
  2. Fill out the fields as shown in the screen capture below, changing the kyr file to the correct name (which should be the correct name by default). The Certificate Label is purely informational, a best practice is to match it to the name of the CA issuer's common name. 

  3. Click "Merge Trusted Root Certificate into Key Ring" and follow the prompts. This step imports the trusted root.
    * If you clicked OK when first receiving the "Unrecognized Certificate Authority signature" message, then the key file ring is ready and all steps are complete.
    * If you clicked Cancel to the message dialog, you need to repeat "Install Certificate into Key Ring" in the Server Certificate Administration database. 


Thawte has made efforts to ensure the accuracy and completeness of the information in this document. However, Thawte makes no warranties of any kind (whether express, implied or statutory) with respect to the information contained herein. Thawte assumes no liability to any party for any loss or damage (whether direct or indirect) caused by any errors, omissions, or statements of any kind contained in this document. Further, Thawte assumes no liability arising from the application or use of the product or service described herein and specifically disclaims any representation that the products or services described herein do not infringe upon any existing or future intellectual property rights. Nothing herein grants the reader any license to make, use, or sell equipment or products constructed in accordance with this document. Finally, all rights and privileges related to any intellectual property right described herein are vested in the patent, trademark, or service mark owner, and no other person may exercise such rights without express permission, authority, or license secured from the patent, trademark, or service mark owner. Thawte reserves the right to make changes to any information herein without further notice.  

Find Answers

Search Tips