Solved

Root CA on Windows Server 2008 not trusted

Posted on 2011-03-03
3
2,604 Views
Last Modified: 2012-05-11
I have installed an enterprise root CA on a Server 2008 Standard Domain Controller. The CA is giving out certificates fine and people can log into OWA using certificates given out by this CA so all seemed to be working fine.
Then one of our programs stopped functioning complaining it can't set up encrypted connections, this lead to an extensive search that left me with more questions than answers.
So first i used "certutil -dump" on a client and it looked allright.
 
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Entry 0:
  Name:                   	`vanderwaal-DCWP01-CA'
  Organizational Unit:    	`'
  Organization:           	`'
  Locality:               	`'
  State:                  	`'
  Country/region:         	`'
  Config:                 	`DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA'
  Exchange Certificate:   	`'
  Signature Certificate:  	`'
  Description:            	`'
  Server:                 	`DCWP01.vanderwaal.local'
  Authority:              	`vanderwaal-DCWP01-CA'
  Sanitized Name:         	`vanderwaal-DCWP01-CA'
  Short Name:             	`vanderwaal-DCWP01-CA'
  Sanitized Short Name:   	`vanderwaal-DCWP01-CA'
  Flags:                  	`1'
CertUtil: -dump command completed successfully.

Open in new window

DCWP01.vanderwaal.local is the right server so looks allright.
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  CertContext.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER
  CertContext.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED
  CertContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
  CertContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
Er is een certificaatketen verwerkt, maar de keten is be‰indigd in een basiscertificaat dat niet door de vertrouwenslijstprovider wordt vertrouwd. 0x800b0109 (-2146762487)
No CA's listed on domain
314.687.0: 0x80092004 (-2146885628)
314.1752.0: 0x80092004 (-2146885628)
CertUtil: -TCAInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Kan object of eigenschap niet vinden
301.3128.0: 0x80092004 (-2146885628)

Open in new window

This part is the first part where i'm getting puzzled. It's a dutch client, but the translation of the error rougly comes down to: "worked through certificate chain, but chain ends in a certificate that's not trusted. 0x800b0109" So i searched on that error, but first 20 pages didn't solve it.
Also the thing that worried me is "No CA's listed on domain", after this i moved on to the server.
"CertUtil -dump" on the server is the same as on the client, no weird stuff there. Only changes are the fact there is a signature certificate and flags is 13 instead of 1.
"CertUtil -TCAInfo" gives this:
 
================================================================
CA-naam: vanderwaal-DCWP01-CA

Computernaam: DCWP01.vanderwaal.local

Active Directory Domain Services-locatie: CN=vanderwaal-DCWP01-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=vanderwaal,DC=local

DN-naam van certificaat: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local

Geldigheidsperiode van CA-register: 2 Years -- 3-3-2013 9:51
 Niet na: 17-2-2021 16:02

Verbinding maken met DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA
De interface ICertRequestvanderwaal-DCWP01-CA van de server 2 is actief

  Basis-CA van onderneming

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  NotBefore: 17-2-2011 15:52
  NotAfter: 17-2-2021 16:02
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Serial: 44510ae1e963ad84428c7d8e2c8ecfc5
  Template: CA
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  NotBefore: 17-2-2011 15:52
  NotAfter: 17-2-2021 16:02
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Serial: 44510ae1e963ad84428c7d8e2c8ecfc5
  Template: CA
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
Een certificaatketen is goed verwerkt, maar een van de CA-certificaten wordt niet door de beleidsprovider vertrouwd. 0x800b0112 (-2146762478)
------------------------------------

Ondersteunde certificaatsjablonen
Certificaattype[0]: DirectoryEmailReplication (Replicatie van e-mail in directory)
Certificaattype[1]: DomainControllerAuthentication (Domeincontrollerverificatie)
Certificaattype[2]: EFSRecovery (EFS-herstelagent)
Certificaattype[3]: EFS (Standaard-EFS)
Certificaattype[4]: DomainController (Domeincontroller)
Certificaattype[5]: WebServer (Webserver)
Certificaattype[6]: Machine (Computer)
Certificaattype[7]: User (Gebruiker)
Certificaattype[8]: SubCA (Onderliggende certificeringsinstantie)
Certificaattype[9]: Administrator (Administrator)
Gevalideerde certificaattypen: 10

================================================================
DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA:
  Basis-CA van onderneming
  Een certificaatketen is goed verwerkt, maar een van de CA-certificaten wordt niet door de beleidsprovider vertrouwd. 0x800b0112 (-2146762478)
  Online

CertUtil: - de opdracht TCAInfo is voltooid.

Open in new window

Again it says the chain ends in a non trusted certificate, this totally puzzles me, the "chain" is 1 certificate, the own certificate of the server, made and signed by the server itself.
I think i tried to check almost everything, checking Enterprise-PKI the certificate is in the AD containers NTAuthCertificates, AIA, CDP, Certificate Authorities and signup services, the only one it's not in is KRA.
Using the MMC for certificates the certificate is in the trusted rootauthorities folder twice, once with a little key symbol, once without.

I have no clue where to check next, and i'm totally lost why the server does not trust the certificate it made itself.
0
Comment
Question by:MathijsV
  • 3
3 Comments
 

Author Comment

by:MathijsV
ID: 35058108
Just some extra info, when running the best practices analyzer included with 2008R2 on Certificate Services it instantly returns with (translated from dutch): "Scan of analyse function for best practices failed, hexadecimal value 0x1F, is invalid character"
All other best practices scans complete without trouble on the same server.
0
 

Accepted Solution

by:
MathijsV earned 0 total points
ID: 35216148
Official case has been made at microsoft, after a 3 hour long session of sharing desktops it's still not fixed. So i think the question went a bit above the scope of Experts Exchange.
0
 

Author Closing Comment

by:MathijsV
ID: 35216153
Not fixed, but microsoft is looking at it, not expecting an answer from EE anymore.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

I was supporting a handful of Windows 2008 (non-R2) 2 node clusters with shared quorum disks. Some had SQL 2008 installed and some were just a vendor application that we supported. For the purposes of this article it doesn’t really matter which so w…
You might have come across a situation when you have Exchange 2013 server in two different sites (Production and DR). After adding the Database copy in ECP console it displays Database copy status unknown for the DR exchange server. Issue is strange…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now