Importing incomplete certificates into User Key Store
As of Niagara 4.15, you can import certificates with incomplete chains into the User Key Store, fixing previous import errors. Existing certificates with incomplete chains that are already in the User Key Store can be used by services such as the Fox Service, Web Service, niagarad and others as server certificates. Client certificates with incomplete chains may also be used as client certificates for authentication.
Overview
This enhancement offers you increased flexibility when importing and utilizing certificates within Niagara. Some companies choose not to share the public certificate of their Certificate Authority (CA), which can hinder the ability to build a complete certificate chain. Previously, this prevented certificate imports into Niagara.
Importing a certificate with an incomplete chain
The import procedure does not change. However, if the certificate has an incomplete chain, the import will succeed. The icon in the Certificate Manager view will display an additional badge to indicate this.
The Certificate Management for Niagara Workbench view includes the optional column Full Cert Chain column, which you can add by selecting Full Cert Chain from the drop-down menu in the upper right corner. 
Best practices
When validating certificates, the validating entity should confirm a chain of trust from a trusted certificate to the presented certificate chain presented by the other party. If an incomplete chain is presented, full verification may not be possible. While it is recommended to use a complete chain for improved interoperability, many scenarios accept incomplete chains, including BACnet/SC applications.
Security considerations
The use of an incomplete certificate chain does not in itself represent a security risk. The validation process will still strive to establish a chain of trust. However, an incomplete chain might prevent the validating party from successfully forming this trust, which can impact connections for certain applications.