Solved

Root CA on Windows Server 2008 not trusted

Posted on 2011-03-03
3
2,759 Views
Last Modified: 2012-05-11
I have installed an enterprise root CA on a Server 2008 Standard Domain Controller. The CA is giving out certificates fine and people can log into OWA using certificates given out by this CA so all seemed to be working fine.
Then one of our programs stopped functioning complaining it can't set up encrypted connections, this lead to an extensive search that left me with more questions than answers.
So first i used "certutil -dump" on a client and it looked allright.
 
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
Entry 0:
  Name:                   	`vanderwaal-DCWP01-CA'
  Organizational Unit:    	`'
  Organization:           	`'
  Locality:               	`'
  State:                  	`'
  Country/region:         	`'
  Config:                 	`DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA'
  Exchange Certificate:   	`'
  Signature Certificate:  	`'
  Description:            	`'
  Server:                 	`DCWP01.vanderwaal.local'
  Authority:              	`vanderwaal-DCWP01-CA'
  Sanitized Name:         	`vanderwaal-DCWP01-CA'
  Short Name:             	`vanderwaal-DCWP01-CA'
  Sanitized Short Name:   	`vanderwaal-DCWP01-CA'
  Flags:                  	`1'
CertUtil: -dump command completed successfully.

Open in new window

DCWP01.vanderwaal.local is the right server so looks allright.
402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  CertContext.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER
  CertContext.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED
  CertContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER
  CertContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT
Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
Er is een certificaatketen verwerkt, maar de keten is be‰indigd in een basiscertificaat dat niet door de vertrouwenslijstprovider wordt vertrouwd. 0x800b0109 (-2146762487)
No CA's listed on domain
314.687.0: 0x80092004 (-2146885628)
314.1752.0: 0x80092004 (-2146885628)
CertUtil: -TCAInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Kan object of eigenschap niet vinden
301.3128.0: 0x80092004 (-2146885628)

Open in new window

This part is the first part where i'm getting puzzled. It's a dutch client, but the translation of the error rougly comes down to: "worked through certificate chain, but chain ends in a certificate that's not trusted. 0x800b0109" So i searched on that error, but first 20 pages didn't solve it.
Also the thing that worried me is "No CA's listed on domain", after this i moved on to the server.
"CertUtil -dump" on the server is the same as on the client, no weird stuff there. Only changes are the fact there is a signature certificate and flags is 13 instead of 1.
"CertUtil -TCAInfo" gives this:
 
================================================================
CA-naam: vanderwaal-DCWP01-CA

Computernaam: DCWP01.vanderwaal.local

Active Directory Domain Services-locatie: CN=vanderwaal-DCWP01-CA,CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=vanderwaal,DC=local

DN-naam van certificaat: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local

Geldigheidsperiode van CA-register: 2 Years -- 3-3-2013 9:51
 Niet na: 17-2-2021 16:02

Verbinding maken met DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA
De interface ICertRequestvanderwaal-DCWP01-CA van de server 2 is actief

  Basis-CA van onderneming

dwFlags = CA_VERIFY_FLAGS_NT_AUTH (0x10)
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_NT_AUTH
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  NotBefore: 17-2-2011 15:52
  NotAfter: 17-2-2021 16:02
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Serial: 44510ae1e963ad84428c7d8e2c8ecfc5
  Template: CA
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
  Issuer: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  NotBefore: 17-2-2011 15:52
  NotAfter: 17-2-2021 16:02
  Subject: CN=vanderwaal-DCWP01-CA, DC=vanderwaal, DC=local
  Serial: 44510ae1e963ad84428c7d8e2c8ecfc5
  Template: CA
  71 d9 e5 4f 25 21 81 d7 7e 23 e2 7e 8c f0 71 eb 98 0a d1 82
Een certificaatketen is goed verwerkt, maar een van de CA-certificaten wordt niet door de beleidsprovider vertrouwd. 0x800b0112 (-2146762478)
------------------------------------

Ondersteunde certificaatsjablonen
Certificaattype[0]: DirectoryEmailReplication (Replicatie van e-mail in directory)
Certificaattype[1]: DomainControllerAuthentication (Domeincontrollerverificatie)
Certificaattype[2]: EFSRecovery (EFS-herstelagent)
Certificaattype[3]: EFS (Standaard-EFS)
Certificaattype[4]: DomainController (Domeincontroller)
Certificaattype[5]: WebServer (Webserver)
Certificaattype[6]: Machine (Computer)
Certificaattype[7]: User (Gebruiker)
Certificaattype[8]: SubCA (Onderliggende certificeringsinstantie)
Certificaattype[9]: Administrator (Administrator)
Gevalideerde certificaattypen: 10

================================================================
DCWP01.vanderwaal.local\vanderwaal-DCWP01-CA:
  Basis-CA van onderneming
  Een certificaatketen is goed verwerkt, maar een van de CA-certificaten wordt niet door de beleidsprovider vertrouwd. 0x800b0112 (-2146762478)
  Online

CertUtil: - de opdracht TCAInfo is voltooid.

Open in new window

Again it says the chain ends in a non trusted certificate, this totally puzzles me, the "chain" is 1 certificate, the own certificate of the server, made and signed by the server itself.
I think i tried to check almost everything, checking Enterprise-PKI the certificate is in the AD containers NTAuthCertificates, AIA, CDP, Certificate Authorities and signup services, the only one it's not in is KRA.
Using the MMC for certificates the certificate is in the trusted rootauthorities folder twice, once with a little key symbol, once without.

I have no clue where to check next, and i'm totally lost why the server does not trust the certificate it made itself.
0
Comment
Question by:MathijsV
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
3 Comments
 

Author Comment

by:MathijsV
ID: 35058108
Just some extra info, when running the best practices analyzer included with 2008R2 on Certificate Services it instantly returns with (translated from dutch): "Scan of analyse function for best practices failed, hexadecimal value 0x1F, is invalid character"
All other best practices scans complete without trouble on the same server.
0
 

Accepted Solution

by:
MathijsV earned 0 total points
ID: 35216148
Official case has been made at microsoft, after a 3 hour long session of sharing desktops it's still not fixed. So i think the question went a bit above the scope of Experts Exchange.
0
 

Author Closing Comment

by:MathijsV
ID: 35216153
Not fixed, but microsoft is looking at it, not expecting an answer from EE anymore.
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question