Untrust Root CA with cert imported in IE Trusted Root

Question

We encounter below problems, Could someone help?

on some PC, when user access website signed by my company CA, IE will show untrusted certificate page. But the certificate already imported in the IE Trust Root

To uncheck "Check server certificate revocation", then no warning page.

To verify the certificate with certutil, below is the message.

certutil -verify -urlfetch test.cert

ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

CertContext[0][0]: dwInfoStatus=10a dwErrorStatus=20
  Issuer: O=MyCompany Root CA, C=US
  Subject: O=MyCompany Root CA, C=US
  Serial: 

  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
319.1862.0: 0x8007006e (WIN32: 110): ldap:///CN=CRL1, O=MyCompany Root CA, C=US?certificateRevocationList;binary,authorityRevocationList;binary,deltaRevocationList;binary
319.1862.0: 0x8007003a (WIN32: 58): ldap://dc.mycompany.com/o=mycompany%20CA1,c=US?certificateRevocationList;binary
  Failed "CDP" Time: 0
    Error retrieving URL: The system cannot open the device or file specified. 0x8007006e (WIN32: 110)
    ldap:///CN=CRL1, O=MyCompany Root CA, C=US?certificateRevocationList;binary,authorityRevocationList;binary,deltaRevocationList;binary

  Failed "CDP" Time: 0
    Error retrieving URL: The specified server cannot perform the requested operation. 0x8007003a (WIN32: 58)
    ldap://dc.mycompany.com/o=mycompany%20CA1,c=US?certificateRevocationList;binary

  Verified "Base CRL (2419)" Time: 1
    [2.0] http://dc.mycompany.com/CombinedCDP/CRL.crl"

Below 2 steps seems solve the problem 1. CA Certificate should be installed as Certificate (Local Computer) / Trust Root 2. rundll32 c:\winnt\system32\initpki.dll,DllRegisterServer Does anyone know the root cause? Please let me know. — user2374125, Jun 12 '13 at 08:59

score 0 · Answer 1 · answered Dec 10 '13 at 08:39

0

I had the same problem. Installing the root certificate on Local Computer > Trusted Root Certification Authorities solved my problem. Installing the root certificate in Current User > Trusted Root Certification Authorities was not required.

answered Dec 10 '13 at 08:39

hey77

1
1

Thanks for your reply. My problem is a bit different, after investigation we found it's an IT maintenance problem for old version WinXP PC. After register the dll for pki, it works. – user2374125 Jan 14 '14 at 01:36

Untrust Root CA with cert imported in IE Trusted Root

1 Answers1