How to fix?

BeGentleWithMe-INeedHelp
BeGentleWithMe-INeedHelp used Ask the Experts™
on
Just started getting this as part of failures of shadow protect on all desktops saving continuous incrementals to a share on SBS 2011 standard server

An untrusted certificate authority was detected While processing the smartcard certificate used for authentication.

Any advice?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Oh!  There's no smart card logins being done on network.  Just the typical user/password / domain login from these win 7 machines that are in the same office /Lan as server
Here's the full text of so failure log:

Randazzo B-PC2 Backup report: 31-Jan-2016 15:30:00 service 100 service (build 59) started job by incremental trigger
31-Jan-2016 15:30:00 service 104 5.2.3.37285 92A8-439C yXhIgXhtputN/TYx5c4mhw== 1057-4E4B-5E3C-9DA0-5F23-001C-C06B-30F9
31-Jan-2016 15:30:00 service 509 Cannot get access to destination object
31-Jan-2016 15:30:00 service 101 Cannot execute job (An untrusted certificate authority was detected While processing the smartcard certificate used for authentication. Please contact your system administrator. 0x80090352(2148074322))
Top Expert 2014
Commented:
Could have many reasons.

1.st check time and DATE on all systems.
2. check trust chain of the certificate of the smart cards to see if all certificates are still trusted and not revoked/expired.
3. check if a operating system update was installed recently. Sometimes windows updates are removing root CA if they are broken/untrustworthy.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

the date / time is correct.

poking around places I've rarely been to on the server, I see a self signed cert that expired 1/31/16 - today,when the problem started.  

Somewhere on the web I saw that you should run the fix my network wizard. Did that, rebooted server and still getting that error.

Quite some time ago I got a message from Godaddy about a cert we have with them that should be rekeyed (from sha1 to sha2?) (if you got to remote.ourdomain.com the browser balks at the certificate).   I did the rekey and now the browser is happy with the cert.

But the desktop to server connection is using a different cert?  How to fix that message that'an untrusted certificate authority was detected'.

And by the way, is there a place you can point me to to learn about certs? intermediate, primary, self certs, my head hurts.
If you're running self-signed, I would expect the typical response is going to be just buy a valid external cert and install it via the network / connectivity "add a trusted certificate" wizard.
I've always run SBS2011 servers on godaddy or rapidssl certs. it's pretty easy. and in my case worth the bit of money it costs. I know it's not really a direct answer to the question.   at the end of the day, my time is worth more than the Cert costs.
time > $$   certainly!

So I have an eternal cert from godaddy that I just rekeyed / reinstalled.

I'm still getting that non trusted cert authority message when trying to access the server share from the desktop (using username / password credentials stored in shadow protect the username / password are NOT the user).  do I delete any local certs?  How do I stop having the server itself be the non-trusted cert authority? (I guess that's what the message is meaning?  The server itself is not trusted?)
check your bindings in the IIS default web site.
there's usually 2, 127.0.0.1 and "*"
I went into admin tools IIS manager , clicked on default web site on left then on right colum, clicked on edit site / bindings. Here's what it looked like.  8 entries not 2.

after doing that screen capture,

I wound up starting the admin tools / certificate authority.

in there, clicked on the server name on left.  then right click choose all tasks / renew CA authority.

under properties for the server, there's 2 certs. both are current, 1 was created today.

I really need to do this at night to go from a user PC to see if I broke something / fixed something.

>>>>  I'm just wandering around the different interfaces. Is there a way to learn what all this certificate stuff means / how it works / what I want to do?

do these things look right?

under the server, there's

revoked certs - blank
issued certs - 14 different ones. 11 have expired dates (can I delete them?)
Pending certs - blank
failed requests - 16, request dates 2012 to 2015.  Can I delete these?
certificate templates - 11 of these. I have no clue when these would be needed  / what I would do with them.
http://blogs.technet.com/b/askds/archive/2010/08/31/the-case-of-the-enormous-ca-database.aspx

http://blogs.technet.com/b/xdot509/archive/2013/05/10/operating-a-windows-pki-removing-expired-certificates-from-the-ca-database.aspx

ok to delete failed & pending. can you do it through the UI or have to use the command line?  

certutil –deleterow <today’s date in mm/dd/yyyy format> request
OK, I deleted failed, pending and expired from the command line (no option to do it in the GUI it seems.)

in this picture, can I delete cert 0 since cert 1 will expire later and seems to do the same thing as 0.

but we're still dealing with self signed certs here, right?do I need both certs?

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial