[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Root CA on Windows Server 2008 not trusted

Posted on 2011-03-03
3
Medium Priority
?
3,077 Views
Last Modified: 2012-05-11
I have installed an enterprise root CA on a Server 2008 Standard Domain Controller. The CA is giving out certificates fine and people can log into OWA using certificates given out by this CA so all seemed to be working fine.
Then one of our programs stopped functioning complaining it can't set up encrypted connections, this lead to an extensive search that left me with more questions than answers.
So first i used "certutil -dump" on a client and it looked allright.
 
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Entry 0:
  Name:                   	`vanderwaal-DCWP01-CA'
  Organizational Unit:    	`'
  Organization:           	`'
  Locality:               	`'
  State:                  	`'
  Country/region:         	`'
  Config:                 	`DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA'
  Exchange Certificate:   	`'
  Signature Certificate:  	`'
  Description:            	`'
  Server:                 	`DCWP01.vanderwaal.local'
  Authority:              	`vanderwaal-DCWP01-CA'
  Sanitized Name:         	`vanderwaal-DCWP01-CA'
  Short Name:             	`vanderwaal-DCWP01-CA'
  Sanitized Short Name:   	`vanderwaal-DCWP01-CA'
  Flags:                  	`1'
CertUtil: -dump command completed successfully.

Open in new window

DCWP01.vanderwaal.local is the right server so looks allright.
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  CertContext.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER
  CertContext.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED
  CertContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
  CertContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
Er is een certificaatketen verwerkt, maar de keten is be‰indigd in een basiscertificaat dat niet door de vertrouwenslijstprovider wordt vertrouwd. 0x800b0109 (-2146762487)
No CA's listed on domain
314.687.0: 0x80092004 (-2146885628)
314.1752.0: 0x80092004 (-2146885628)
CertUtil: -TCAInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Kan object of eigenschap niet vinden
301.3128.0: 0x80092004 (-2146885628)

Open in new window

This part is the first part where i'm getting puzzled. It's a dutch client, but the translation of the error rougly comes down to: "worked through certificate chain, but chain ends in a certificate that's not trusted. 0x800b0109" So i searched on that error, but first 20 pages didn't solve it.
Also the thing that worried me is "No CA's listed on domain", after this i moved on to the server.
"CertUtil -dump" on the server is the same as on the client, no weird stuff there. Only changes are the fact there is a signature certificate and flags is 13 instead of 1.
"CertUtil -TCAInfo" gives this:
 
================================================================
CA-naam: vanderwaal-DCWP01-CA

Computernaam: DCWP01.vanderwaal.local

Active Directory Domain Services-locatie: CN=vanderwaal-DCWP01-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=vanderwaal,DC=local

DN-naam van certificaat: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local

Geldigheidsperiode van CA-register: 2 Years -- 3-3-2013 9:51
 Niet na: 17-2-2021 16:02

Verbinding maken met DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA
De interface ICertRequestvanderwaal-DCWP01-CA van de server 2 is actief

  Basis-CA van onderneming

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  NotBefore: 17-2-2011 15:52
  NotAfter: 17-2-2021 16:02
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Serial: 44510ae1e963ad84428c7d8e2c8ecfc5
  Template: CA
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  NotBefore: 17-2-2011 15:52
  NotAfter: 17-2-2021 16:02
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Serial: 44510ae1e963ad84428c7d8e2c8ecfc5
  Template: CA
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
Een certificaatketen is goed verwerkt, maar een van de CA-certificaten wordt niet door de beleidsprovider vertrouwd. 0x800b0112 (-2146762478)
------------------------------------

Ondersteunde certificaatsjablonen
Certificaattype[0]: DirectoryEmailReplication (Replicatie van e-mail in directory)
Certificaattype[1]: DomainControllerAuthentication (Domeincontrollerverificatie)
Certificaattype[2]: EFSRecovery (EFS-herstelagent)
Certificaattype[3]: EFS (Standaard-EFS)
Certificaattype[4]: DomainController (Domeincontroller)
Certificaattype[5]: WebServer (Webserver)
Certificaattype[6]: Machine (Computer)
Certificaattype[7]: User (Gebruiker)
Certificaattype[8]: SubCA (Onderliggende certificeringsinstantie)
Certificaattype[9]: Administrator (Administrator)
Gevalideerde certificaattypen: 10

================================================================
DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA:
  Basis-CA van onderneming
  Een certificaatketen is goed verwerkt, maar een van de CA-certificaten wordt niet door de beleidsprovider vertrouwd. 0x800b0112 (-2146762478)
  Online

CertUtil: - de opdracht TCAInfo is voltooid.

Open in new window

Again it says the chain ends in a non trusted certificate, this totally puzzles me, the "chain" is 1 certificate, the own certificate of the server, made and signed by the server itself.
I think i tried to check almost everything, checking Enterprise-PKI the certificate is in the AD containers NTAuthCertificates, AIA, CDP, Certificate Authorities and signup services, the only one it's not in is KRA.
Using the MMC for certificates the certificate is in the trusted rootauthorities folder twice, once with a little key symbol, once without.

I have no clue where to check next, and i'm totally lost why the server does not trust the certificate it made itself.
0
Comment
Question by:MathijsV
  • 3
3 Comments
 

Author Comment

by:MathijsV
ID: 35058108
Just some extra info, when running the best practices analyzer included with 2008R2 on Certificate Services it instantly returns with (translated from dutch): "Scan of analyse function for best practices failed, hexadecimal value 0x1F, is invalid character"
All other best practices scans complete without trouble on the same server.
0
 

Accepted Solution

by:
MathijsV earned 0 total points
ID: 35216148
Official case has been made at microsoft, after a 3 hour long session of sharing desktops it's still not fixed. So i think the question went a bit above the scope of Experts Exchange.
0
 

Author Closing Comment

by:MathijsV
ID: 35216153
Not fixed, but microsoft is looking at it, not expecting an answer from EE anymore.
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question