An unknown CA is a CA that is not already defined in the key database or in the CustomizedCAs.p12 file or in CustomizedCAs.class. To obtain and use a certificate issued by an unknown CA:
After creating and submitting a certificate request to a CA, you can create a self-signed certificate to use while you wait to receive the CA's certificate.
To create the certificate request:
When a certificate expires, follow the renewal procedures specified by the CA for that certificate.
Start a browser and type the URL of the CA from whom you want to obtain the certificate, then follow the instructions to request the certificate.
Depending on the CA you choose, you can either e-mail the certificate request or incorporate it into the form or file provided by the CA. At the same time, ask for the CA's root certificate, though you can often get this directly from the Web site.
While you are waiting for the CA to process your certificate request, you can create a self-signed root certificate to use temporarily.
When you receive the certificates, make sure that they are in armored-64 or binary DER format. Only certificates in these formats can be stored in the key database. The Certificate Management program can only accept simple certificates. It cannot accept certificate chains or PKCS7 data. The armored-64 form of a simple certificate starts with "----BEGIN CERTIFICATE----" and ends with "----END CERTIFICATE----".
Use Certificate Management to store certificates in the key database. You must store the root certificate before you store the server certificate because the root certificate is used to validate the server certificate.