When you create a certificate signing request, send it to a third-party issuer to be signed, and receive the server certificate from the third-party issuer. You sometimes receive a -1226 error when you try to import the signed certificate. You receive this error when the issuer does not send the trusted roots required to validate the issuer of the server certificate.
Use one of the following options to resolve this issue:
If the issuer included the trusted root and any intermediate certificates in a separate file or files, specify these files during the import by clicking the + character that allows you to add a trusted root or an intermediate certificate.
If the issuer did not send you any additional files, you can go to the issuer’s website, download them, then specify these files during the import by clicking the + character that allows you to add a trusted root or an intermediate certificate.
You can try importing the certificate into Internet Explorer, which has the trusted roots from all major CAs, then export the certificate with the required chain of trusted roots. See Using Internet Explorer to Add a Trusted Root Chain.