[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Root CA on Windows Server 2008 not trusted

Posted on 2011-03-03
3
Medium Priority
?
2,869 Views
Last Modified: 2012-05-11
I have installed an enterprise root CA on a Server 2008 Standard Domain Controller. The CA is giving out certificates fine and people can log into OWA using certificates given out by this CA so all seemed to be working fine.
Then one of our programs stopped functioning complaining it can't set up encrypted connections, this lead to an extensive search that left me with more questions than answers.
So first i used "certutil -dump" on a client and it looked allright.
 
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Entry 0:
  Name:                   	`vanderwaal-DCWP01-CA'
  Organizational Unit:    	`'
  Organization:           	`'
  Locality:               	`'
  State:                  	`'
  Country/region:         	`'
  Config:                 	`DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA'
  Exchange Certificate:   	`'
  Signature Certificate:  	`'
  Description:            	`'
  Server:                 	`DCWP01.vanderwaal.local'
  Authority:              	`vanderwaal-DCWP01-CA'
  Sanitized Name:         	`vanderwaal-DCWP01-CA'
  Short Name:             	`vanderwaal-DCWP01-CA'
  Sanitized Short Name:   	`vanderwaal-DCWP01-CA'
  Flags:                  	`1'
CertUtil: -dump command completed successfully.

Open in new window

DCWP01.vanderwaal.local is the right server so looks allright.
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  CertContext.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER
  CertContext.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED
  CertContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
  CertContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
Er is een certificaatketen verwerkt, maar de keten is be‰indigd in een basiscertificaat dat niet door de vertrouwenslijstprovider wordt vertrouwd. 0x800b0109 (-2146762487)
No CA's listed on domain
314.687.0: 0x80092004 (-2146885628)
314.1752.0: 0x80092004 (-2146885628)
CertUtil: -TCAInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Kan object of eigenschap niet vinden
301.3128.0: 0x80092004 (-2146885628)

Open in new window

This part is the first part where i'm getting puzzled. It's a dutch client, but the translation of the error rougly comes down to: "worked through certificate chain, but chain ends in a certificate that's not trusted. 0x800b0109" So i searched on that error, but first 20 pages didn't solve it.
Also the thing that worried me is "No CA's listed on domain", after this i moved on to the server.
"CertUtil -dump" on the server is the same as on the client, no weird stuff there. Only changes are the fact there is a signature certificate and flags is 13 instead of 1.
"CertUtil -TCAInfo" gives this:
 
================================================================
CA-naam: vanderwaal-DCWP01-CA

Computernaam: DCWP01.vanderwaal.local

Active Directory Domain Services-locatie: CN=vanderwaal-DCWP01-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=vanderwaal,DC=local

DN-naam van certificaat: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local

Geldigheidsperiode van CA-register: 2 Years -- 3-3-2013 9:51
 Niet na: 17-2-2021 16:02

Verbinding maken met DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA
De interface ICertRequestvanderwaal-DCWP01-CA van de server 2 is actief

  Basis-CA van onderneming

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  NotBefore: 17-2-2011 15:52
  NotAfter: 17-2-2021 16:02
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Serial: 44510ae1e963ad84428c7d8e2c8ecfc5
  Template: CA
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  NotBefore: 17-2-2011 15:52
  NotAfter: 17-2-2021 16:02
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Serial: 44510ae1e963ad84428c7d8e2c8ecfc5
  Template: CA
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
Een certificaatketen is goed verwerkt, maar een van de CA-certificaten wordt niet door de beleidsprovider vertrouwd. 0x800b0112 (-2146762478)
------------------------------------

Ondersteunde certificaatsjablonen
Certificaattype[0]: DirectoryEmailReplication (Replicatie van e-mail in directory)
Certificaattype[1]: DomainControllerAuthentication (Domeincontrollerverificatie)
Certificaattype[2]: EFSRecovery (EFS-herstelagent)
Certificaattype[3]: EFS (Standaard-EFS)
Certificaattype[4]: DomainController (Domeincontroller)
Certificaattype[5]: WebServer (Webserver)
Certificaattype[6]: Machine (Computer)
Certificaattype[7]: User (Gebruiker)
Certificaattype[8]: SubCA (Onderliggende certificeringsinstantie)
Certificaattype[9]: Administrator (Administrator)
Gevalideerde certificaattypen: 10

================================================================
DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA:
  Basis-CA van onderneming
  Een certificaatketen is goed verwerkt, maar een van de CA-certificaten wordt niet door de beleidsprovider vertrouwd. 0x800b0112 (-2146762478)
  Online

CertUtil: - de opdracht TCAInfo is voltooid.

Open in new window

Again it says the chain ends in a non trusted certificate, this totally puzzles me, the "chain" is 1 certificate, the own certificate of the server, made and signed by the server itself.
I think i tried to check almost everything, checking Enterprise-PKI the certificate is in the AD containers NTAuthCertificates, AIA, CDP, Certificate Authorities and signup services, the only one it's not in is KRA.
Using the MMC for certificates the certificate is in the trusted rootauthorities folder twice, once with a little key symbol, once without.

I have no clue where to check next, and i'm totally lost why the server does not trust the certificate it made itself.
0
Comment
Question by:MathijsV
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
3 Comments
 

Author Comment

by:MathijsV
ID: 35058108
Just some extra info, when running the best practices analyzer included with 2008R2 on Certificate Services it instantly returns with (translated from dutch): "Scan of analyse function for best practices failed, hexadecimal value 0x1F, is invalid character"
All other best practices scans complete without trouble on the same server.
0
 

Accepted Solution

by:
MathijsV earned 0 total points
ID: 35216148
Official case has been made at microsoft, after a 3 hour long session of sharing desktops it's still not fixed. So i think the question went a bit above the scope of Experts Exchange.
0
 

Author Closing Comment

by:MathijsV
ID: 35216153
Not fixed, but microsoft is looking at it, not expecting an answer from EE anymore.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question