Whilst preparing a new Windows 2012R2 server for production I needed to install a (GlobalSign Domain) SSL certificate for the website powering our application. I did this by generating a certificate request, submitting to GlobalSign, then completing the request using the PEM formatted issued certificate.
Normally I would also have to go and grab the relevant GlobalSign DomainSSL intermediate certificate and install that as well. However the relevant intermediate certificate seemed to get automatically installed as soon I configured my IIS site bindings.
I know for a fact that the intermediate certificate wasn't present in the local computer certificate store under:
Intermediate Certification Authorities -> Certificates
…in the Certificates MMC snap-in.
I checked first and then when it magically appeared I ran through my SSL certificate .pfx import and IIS binding config on a virgin 2012R2 server and confirmed that the intermediate certificate had indeed automatically been installed.
I don't remember this happening with Windows 2008/R2. Is this a new feature, or something that is turned on by default that wasn't previously?
Update:
HBruijn's answer explains away the appearance of the intermediate certificate on my second "virgin" server mentioned above. I did indeed export the certificate as a .pfx file and imported it on the other server. Checking with the openssl tool reveals the presence of the root and intermediate certs.
However… on the original server I completed a pending certificate request and only loaded the "PEM" formatted certificate. This does not include the root/intermediate certificates (I checked with openssl).
Best Answer
You imported the intermediate certificate together with SSL certificate.