Solved

Root CA on Windows Server 2008 not trusted

Posted on 2011-03-03
3
2,683 Views
Last Modified: 2012-05-11
I have installed an enterprise root CA on a Server 2008 Standard Domain Controller. The CA is giving out certificates fine and people can log into OWA using certificates given out by this CA so all seemed to be working fine.
Then one of our programs stopped functioning complaining it can't set up encrypted connections, this lead to an extensive search that left me with more questions than answers.
So first i used "certutil -dump" on a client and it looked allright.
 
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Entry 0:
  Name:                   	`vanderwaal-DCWP01-CA'
  Organizational Unit:    	`'
  Organization:           	`'
  Locality:               	`'
  State:                  	`'
  Country/region:         	`'
  Config:                 	`DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA'
  Exchange Certificate:   	`'
  Signature Certificate:  	`'
  Description:            	`'
  Server:                 	`DCWP01.vanderwaal.local'
  Authority:              	`vanderwaal-DCWP01-CA'
  Sanitized Name:         	`vanderwaal-DCWP01-CA'
  Short Name:             	`vanderwaal-DCWP01-CA'
  Sanitized Short Name:   	`vanderwaal-DCWP01-CA'
  Flags:                  	`1'
CertUtil: -dump command completed successfully.

Open in new window

DCWP01.vanderwaal.local is the right server so looks allright.
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  CertContext.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER
  CertContext.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED
  CertContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
  CertContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
Er is een certificaatketen verwerkt, maar de keten is be‰indigd in een basiscertificaat dat niet door de vertrouwenslijstprovider wordt vertrouwd. 0x800b0109 (-2146762487)
No CA's listed on domain
314.687.0: 0x80092004 (-2146885628)
314.1752.0: 0x80092004 (-2146885628)
CertUtil: -TCAInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Kan object of eigenschap niet vinden
301.3128.0: 0x80092004 (-2146885628)

Open in new window

This part is the first part where i'm getting puzzled. It's a dutch client, but the translation of the error rougly comes down to: "worked through certificate chain, but chain ends in a certificate that's not trusted. 0x800b0109" So i searched on that error, but first 20 pages didn't solve it.
Also the thing that worried me is "No CA's listed on domain", after this i moved on to the server.
"CertUtil -dump" on the server is the same as on the client, no weird stuff there. Only changes are the fact there is a signature certificate and flags is 13 instead of 1.
"CertUtil -TCAInfo" gives this:
 
================================================================
CA-naam: vanderwaal-DCWP01-CA

Computernaam: DCWP01.vanderwaal.local

Active Directory Domain Services-locatie: CN=vanderwaal-DCWP01-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=vanderwaal,DC=local

DN-naam van certificaat: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local

Geldigheidsperiode van CA-register: 2 Years -- 3-3-2013 9:51
 Niet na: 17-2-2021 16:02

Verbinding maken met DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA
De interface ICertRequestvanderwaal-DCWP01-CA van de server 2 is actief

  Basis-CA van onderneming

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  NotBefore: 17-2-2011 15:52
  NotAfter: 17-2-2021 16:02
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Serial: 44510ae1e963ad84428c7d8e2c8ecfc5
  Template: CA
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  NotBefore: 17-2-2011 15:52
  NotAfter: 17-2-2021 16:02
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Serial: 44510ae1e963ad84428c7d8e2c8ecfc5
  Template: CA
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
Een certificaatketen is goed verwerkt, maar een van de CA-certificaten wordt niet door de beleidsprovider vertrouwd. 0x800b0112 (-2146762478)
------------------------------------

Ondersteunde certificaatsjablonen
Certificaattype[0]: DirectoryEmailReplication (Replicatie van e-mail in directory)
Certificaattype[1]: DomainControllerAuthentication (Domeincontrollerverificatie)
Certificaattype[2]: EFSRecovery (EFS-herstelagent)
Certificaattype[3]: EFS (Standaard-EFS)
Certificaattype[4]: DomainController (Domeincontroller)
Certificaattype[5]: WebServer (Webserver)
Certificaattype[6]: Machine (Computer)
Certificaattype[7]: User (Gebruiker)
Certificaattype[8]: SubCA (Onderliggende certificeringsinstantie)
Certificaattype[9]: Administrator (Administrator)
Gevalideerde certificaattypen: 10

================================================================
DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA:
  Basis-CA van onderneming
  Een certificaatketen is goed verwerkt, maar een van de CA-certificaten wordt niet door de beleidsprovider vertrouwd. 0x800b0112 (-2146762478)
  Online

CertUtil: - de opdracht TCAInfo is voltooid.

Open in new window

Again it says the chain ends in a non trusted certificate, this totally puzzles me, the "chain" is 1 certificate, the own certificate of the server, made and signed by the server itself.
I think i tried to check almost everything, checking Enterprise-PKI the certificate is in the AD containers NTAuthCertificates, AIA, CDP, Certificate Authorities and signup services, the only one it's not in is KRA.
Using the MMC for certificates the certificate is in the trusted rootauthorities folder twice, once with a little key symbol, once without.

I have no clue where to check next, and i'm totally lost why the server does not trust the certificate it made itself.
0
Comment
Question by:MathijsV
  • 3
3 Comments
 

Author Comment

by:MathijsV
ID: 35058108
Just some extra info, when running the best practices analyzer included with 2008R2 on Certificate Services it instantly returns with (translated from dutch): "Scan of analyse function for best practices failed, hexadecimal value 0x1F, is invalid character"
All other best practices scans complete without trouble on the same server.
0
 

Accepted Solution

by:
MathijsV earned 0 total points
ID: 35216148
Official case has been made at microsoft, after a 3 hour long session of sharing desktops it's still not fixed. So i think the question went a bit above the scope of Experts Exchange.
0
 

Author Closing Comment

by:MathijsV
ID: 35216153
Not fixed, but microsoft is looking at it, not expecting an answer from EE anymore.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question