Godaddy Root Certificate Download

So, I just ran through the entire process again, and had GoDaddy Re-Key the certificate. This was a pain in the butt since it took them several hours to verify everything.

Once I did that, everything worked perfectly.

All of this to say, THIS TIME: I kept a copy of my original ssl.key BEFORE adding in any of the certificates. So, hopefully in 2 years when this happens again, I can just take a copy of that file and add the 3 cert files.

Download Zip 🔥 https://shurll.com/2y2EBZ 🔥

Although I successfully submit the CSR (generated by keytool) and get a response, I can't for the life of me figure out how to get the mycert.cer file. There is an option to download a PEM file. But after running the above command, I get the error "keytool error: java.lang.Exception: Incomplete certificate chain in reply". I've tried this multiple times, and double-checked I'm using the proper keystore. I've even tried re-keying using both SSH-1 one time, and then SSH-2 the other time. According to this person ( -a-jar-the-signers-certificate-chain-is-not-validated?rq=1), they were able to at least successfully import the PEM file. But I'm not sure if this is even the right approach.

If I use Internet Explorer or Firefox, I believe I can automatically generate a CSR instead of creating one through key tool. Then I'd export the certificate through the web browser. From reading various other online documents, I believe I could then use openssl to convert to the proper format for keytool. I'm not sure on the details of how this will work yet, but I don't see any other options.

The workaround is to contact GoDaddy and have them reissue your organization's certificate. During the certificate setup process, you must select a SHA-1 codesign certificate instead of SHA-2. The option to select SHA-1 will only be available if you certificate validity does not extend to 2016 (see below), so make sure they understand your end goal is to recreate your SHA-2 certificate as SHA-1, so they know to sell you a cert with the correct validity period.

GoDaddy informed me Keytool may have trouble importing a certificate response chain generated from their SHA-2 (2048 length) codesign certificate. I withhold judgment of Keytool since it imports SHA-2 certs fine when the GoDaddy's root SHA1 cert is lopped from the pem file per @mogsie's answer.

GoDaddy goes with SHA-2 automatically when it grants codesign certificates that will extend into 2017 because Microsoft will not accept less than SHA-2 beginning January 1, 2016, so if you're in the market for a SHA-1 certificate, it will have short-term validity.

The answer, as mentioned by Waterbear, is to have your GoDaddy cert reissued or rekeyed by GoDaddy using SHA-1. The reason is that GoDaddy has two CA servers: Class 2 CA which is used for signing SHA-1 certificates, and G2 CA which is used for signing SHA-2 certificates. While the older Class 2 CA is trusted by the Java Truststore (and thus SHA-1 certificates are trusted), the newer G2 CA is not, so its SHA-2certificates are not trusted unless you manually install its root certificate (which defeats the purpose of buying a cert in the first place). Hopefully GoDaddy's G2 CA becomes trusted by the Java Truststore soon (Before 2016!), but until that happens a GoDaddy SHA-2 cert is no better than a self-signed cert.

Since I enjoyed (not) the process of creating a codesinging certificate so much, I thought I would share the process I went thru, and hopefully when you need to generate your own, this will save you some of the heartache and pain .

jarsigner -keystore /home/oracle/code_sign_cert_from_godaddy/godaddy_jks.jks -storepass yourpassword -signedjar /home/oracle/Oracle/Middleware/Oracle_FRHome1/forms/java/test_jacob/Signedjacob1.jar jacob1.jar "lehigh carbon community college's godaddy.com, inc. id" (this alias came from the firefox process above)

@Waterbear Thanks so much for your solution about getting an SHA-1 certificate instead of SHA-2. This was definitely the problem I was having. (I would have posted this underneath your comment, but StackOverflow said it was way too long.) I had gotten a 3-year certificate, and by default GoDaddy gives an SHA-2 for certificates expiring after a certain date. However, even when I re-keyed and asked for an SHA-1, I still ended up with an SHA-2. I had to revoke my certificate and then start the process from scratch to get an SHA-1 certificate. (By starting from scratch, I mean GoDaddy must again verify your company and phone number and all that.) By the way, if you do revoke your certificate, make sure you ask GoDaddy for permission first because technically they don't have to give you a refund. In addition, I wasn't able to get a 3-year certificate because anything that expires after a certain date (2016?) must be SHA-2 and not SHA-1. I basically had to get a refund for my 3-year certificate and instead get a 1-year certificate to even have the SHA-1 option. But after going with SHA-1, GoDaddy's instructions in approach#1 worked fine. I would recommend doing generating your CSR manually using the keytool command (instead of automatically through a web browser). Later, you just download the PEM file and import it into the keystore using the keytool command. (This is what GoDaddy's describes in "approach 1" in the link posted in the question.)

Lastly if you do have to have a certificate reissued, and go through this process again, I would highly recommend choosing another company besides GoDaddy for code-signing. Their tech support was absolutely horrendous. Their support techs even admitted to me they weren't trained in this. The hours spent on this issue greatly offset any money saved on the cert.

The downloaded PEM file contains my signed certificate along with others in the certificate chain. I found keytool would not accept the PEM file as downloaded. I had to remove my certificate from downloaded certificate. I did this via Key Store Explorer ( -explorer.sourceforge.net/) Use the "Examine a Certificate" option, open the PEM file received from Godaddy (1b27b7d7a29a06.pem) click on the your certificate (not one of the others from GoDaddy), click on "PEM", click on "Export". I named this certificate 1b27b7d7a29a06-mycert.pem.

I had the certificate error (CA not trusted) using the Chrome/FF java plugin to deploy an application from my webserver (so not a java applet). Problem was solved for me when adding other Godaddy (intermediate) CA certs to my web server. I created a ticket with godaddy and they responded (quite rapidly)

Thank you for contacting secure certificate support. You will need to use the intermediate certificate bundle with the cross certificate and the G1 root certificate. This will resolve this issue. You can obtain the certificates listed below at

This tool will check if your website is properly secured by an SSL certificate, including the IP it resolves to, the validity date of the SSL certificate securing it, the CA the SSL certificate was issued by, the subject information in the certificate, and determine if the chain of trust has been established.

I ran into an interesting problem. We have a PHP script that contacts a LTL shipper ( ). That script has been failing because it can't validate the SSL certificate. I went to the site and found they were using a GoDaddy SHA2 certificate (uses the GoDaddy Certificate Bundles - G2, which is what is used for SHA2).

I have the latest version of ca-certificate installed and it looks like they have Go Daddy Root Certificate Authority - G2 but that's not the same thing and fails in all forms of validation. I was able to finally get it to work by copying the bundle and directly using that in a CURL request. But this is simply a workaround. Is there something else I'm missing that could make this work without installing the CA directly?

This would appear to be a configuration mistake on their part. It is definitely something that can be expected to cause compatibility issues as you are really only supposed to rely on clients having the root certificates in place beforehand.

I would say that your main options are to either try to convince the service provider to fix their service or work around the problem on your end by providing the client with the certificates that their server was expected to provide.

I downloaded the zip-File from godaddy. If I import the .pem-File oder a converted .cer-File, the certificate can be imported but will be shown with e red X "expeted issuer". If I import a .p7b-File the new certificate is listet well with a green check. But I cannot select the certificate fr User Portal oder SSL-VPN.

I found the issue. When you download the ZIP-File from GoDaddy you'll have the gd_bundle_g2-g1.crt File with the CA Informations. I double-clicked on a windows PC, Details -> Save to File -> Choose "DER"-Format and saved this to the disc. I added this new file "gd_bundle_g2-g1.cer" as New "certificate authoritie" in Sophos and now it works.

Some of our users are getting blocked access to websites due to SSL certificate errors in our environment. The problem seems to stem from one GoDaddy Intermediate CA cert " Issuer: Go Daddy Secure Certificate Authority - G2"

I've tried uploading the certificate in question onto the firewall as I know some inter certs require that but after troubleshooting further I think it's an issue with the IDP not being present in the CRL for that cert

Thus far the only solution has been to wait for users to flag sites and then not decrypt them, but this isn't ideal. I doubt that every PA is having similar problems with this GoDaddy intermediate certificate so was wondering if anyone has any ideas, I feel like I'm missing something.

Intermediate certificates are used as a stand-in for our root certificate. We use intermediate certificates as a proxy because we must keep our root certificate behind numerous layers of security, ensuring its keys are absolutely inaccessible.

How you install the certificates depends on the server software you use. In most cases, you can download and install an intermediate certificate bundle. However, for some server types you must download and install the two intermediate certificates individually. Please refer to the Install my SSL certificate for the specific process you should follow. ff782bc1db