![]() ![]() ![]() Edit the Computer Configuration > Group Policy Preferences > Windows Settings > Registry > path to the root certificate.Open GPMC.msc on the machine that you've imported the root certificate.Įdit the GPO that you would like to use to deploy the registry settings in the following way: Manually import the root certificate on a machine by using the certutil -addstore root c:\tmp\rootca.cer command (see Method 1). To publish the root CA certificate, follow these steps: Method 3: Use GPO preferences to publish the root CA certificate as described in Group Policy Preferences Also, the import will affect only single machine. The certlm.msc console can be started only by local administrators. Method 1: Use the command-line tool certutil and root the CA certificate stored in the file rootca.cer: certutil -addstore root c:\tmp\rootca.cer Examples of alternative methods for publishing root CA certificates When storing root CA certificate in a different, physical, root CA certificate store, the problem should be resolved. It might include targeting the registry location (such as HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates) to deliver the root CA certificate to the client. To address this issue, avoid distributing the root CA certificate using GPO. Microsoft is aware of this issue and is working to improve the certificate and Crypto API experience in a future version of Windows. If the root CA certificate is published using alternative methods, the problems might not occur, due to the afore-mentioned situation. This problem is intermittent, and can be temporarily resolved by reenforcing GPO processing or reboot. And various certificate-related problems will start to occur. In these scenarios, the application might not receive the complete list of trusted root CA certificates.īecause of this reason, end entity certificates that chain to those missing root CA certificates will be rendered as untrusted. For example, many root CA certificates are distributed via GPO (similar with many Firewall or Applocker policies). In some scenarios, Group Policy processing will take longer. The synchronization is how the applications are kept up-to-date and made aware of the most current list of valid root CA certificates. And the application will start synchronizing with the registry changes. This deletion is by design, as it's how the GP applies registry changes.Ĭhanges in the area of the Windows registry that's reserved for root CA certificates will notify the Crypto API component of the client application. When distributing the root CA certificate using GPO, the contents of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates will be deleted and written again. Untrusted root CA certificate problems might occur if the root CA certificate is distributed using the following Group Policy (GP):Ĭomputer Configuration > Windows Settings > Security Settings > Public Key Policies > Trusted Root Certification Authorities Root cause details Result A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. As of April 2020, the list of applications known to be affected by this issue includes, but aren't likely limited to:Īdministrators can identify and troubleshoot untrusted root CA certificate problems by inspecting the CAPI2 Log.įocus your troubleshooting efforts on Build Chain/Verify Chain Policy errors within the CAPI2 log containing the following signatures. Below is an example of such an error: HexĪ certificate chain processed, but terminated in a root certificateĪny PKI-enabled application that uses CryptoAPI System Architecture can be affected with an intermittent loss of connectivity, or a failure in PKI/Certificate dependent functionality. Affected applications might return different connectivity errors, but they will all have untrusted root certificate errors in common. These problems occur because of failed verification of end entity certificate. Various applications that use certificates and Public Key Infrastructure (PKI) might experience intermittent problems, such as connectivity errors, once or twice per day/week. ![]() This article illustrates only one of the possible causes of untrusted root CA certificate. Untrusted root Certificate Authority (CA) certificate problems can be caused by numerous PKI configuration issues. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |