Could not locate the complete trust chain for this certifcate error
Hello all. I am at wits end. I do admit I am not a cert guru thats for sure. I am in the process of doing Smartcard implementation. I have a OverSeas ROOT CA and I created a SUB CA here in the US for me(Because the software tech support
for smartcards told me we needed to do this).
My cert template is issued to my SUB CA for which I am registering the cert to my smartcard. I see the Cert on my Smartcard(AND I also see it in AD but when I view the cert I see the error "Could not locate the complete trust chain for this
certifcate error"
Now if I look into the MMC for Certs Current Users Trusted Root Certification Authorities I see my ROOT CA but I do not see my SUB CA Listed. Is this my issue here? Im assuming I also should see my SUB CA here as well? How do I put my SUB
CA in AD so it pushes it to all my clients. Or is this not my issue?
I hope I gave a good explanation of my issue and any info will be much appreicated.
Thanks
July 1st, 2010 5:51pm
was your sub CA created as a standalone or enterprise CA?
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2010 6:13pm
I did a Enterprise Sub CA and chose my Root CA during the installation.
When I log into my Root CA I expand the Root CA and I see my Sub CA in there as well.
July 1st, 2010 6:43pm
If it was enterprise it should be in AD and should be propegated to all domain clients automatically. How long ago was the CA created? Has AD replication occured between the sites? Are there any replication issues between the sites?
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2010 7:06pm
Its been a month and all replication is showing as fine. I just clicked on Intermediate Certification Authorities and I see the Certitifcate under that folder. so both the Root CA and Sub CA are under Intermediate Certification Authorities BUT Only
the Root CA is under Trusted Root Certification Authorities.
Is this correct or is something wrong?
July 1st, 2010 8:38pm
no that is correct. double click on the subca cert in the mmc and make sure you see the rootca cert listed in the chain. Make sure the cert is valid also.
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2010 10:42pm
It sounds like the complete chain cannot be built on the DC for your smart card logon certificate. The chain looks like this:
Root CA <---- Sub CA <---- Smart Card certificate
To verify the problem:
1. Attach a smart card reader to your domain controller. You can also use the Remote Desktop Client from a Windows client computer to connect remotely to the DC. As long as you have selected the option in the RDC to redirect your smart card reader, this
will work.
2. Logon with username/password of an Admin account, and insert your card into the reader.
3. Run certutil -scinfo and press enter.
Certutil will attempt to validate your smart card certificate in much the same way that the domain controller would during smart card logon. It will will output the results to the screen.
The most likely cause for an error like this is that the sub CA certificate is not located in the Intermediate Certification Authorities store on the domain controller. This normally isn't a problem if your smart card logon certificate has an Authority Information
Access (AIA) extension that contains some URLs from which the DC can dynamically retrieve the sub CA certificate. To check the AIA extension, locate your certificate in the Personal store, double-click on it to open it, and then click on the Details tab. This
will show you a list of all the fields and extenstions for the certificate. Locate the Authority Information Access extension and review the URLs it contains. Make sure those URLs are reachable.
Hope this helps,
Jonathan StephensJonathan Stephens
July 2nd, 2010 8:35pm
Thanks for that info. I ran the util and everything seems good to go and I also checked the AIA and I was able to get to it. Maybe since the cert is on a Smartcard I can getting the
Could not locate the complete trust chain for this certifcate error because
if I double click the cert in my Personal Certs in MMC I dont get that message. I think my problem is that my Superseding isnt working. I have the issue to where the overseas DOmain admins have a Exchange encryption cert auto generating and its
messing my email encryption certs (Politics Politics huh :( :)
I add there cert template to my supersede list on my Cert though which should solve the issue. If I make changes to a Cert template, do I have to then delete the issued one and reissue it again?
Free Windows Admin Tool Kit Click here and download it now
July 2nd, 2010 10:32pm
JerrySAS -
Where exactly are you seeing this error message? When you view the certificate in the Certificates MMC, what usages do you see listed under the Intended Purposes column?
Are you actually able to log on to a workstation with the smart card? Are you able to log on to the console on the DC with the smart card?
In general, when you make a change to a certificate template you have to either renew your existing certificate or enroll for a new one, but supercedence only works for autoenrolled certificates. If you manually enroll for a certificate based on a particular
template, one that you've superseded with another template, the CA is not going to ignore the certificate template information in the request and give you a certificate based on the superseding template.
For a description of how Certificate Supersedence actually works, view this
link. It may not be what you intend.
Jonathan StephensThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can
be beneficial to other community members reading the thread.
July 5th, 2010 8:15am