September 2022 - Uwe Gradenegger

Renewal of a certificate via the Network Device Enrollment Service (NDES) fails with error code CERT_E_UNTRUSTEDCA

Assume the following scenario:

A certificate is requested through the Network Device Enrollment Service (NDES).
Renewal mode is used here, i.e. the certificate request is signed with an existing certificate.
The request for the new certificate fails with the following error message:

A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)

Installation of a new certification authority certificate fails with error code "ERROR_INVALID_PARAMETER".

Assume the following scenario:

A new Certification Authority certificate is requested for a subordinate Certification Authority and issued by the superordinate Certification Authority.
The Subject Distinguished Name (Subject DN) is identical to that of the previous certification authority certificate.
However, the installation of the certificate authority certificate fails with the following error message:

An error was detected while configuring Active Directory Certificate Services.
The Active Directory Certificate Services Setup Wizard will need to be rerun to complete the configuration.
The new certificate subject name does not exactly match the active CA name.
Renew with a new key to allow minor subject name changes: The parameter is incorrect. 0x80070057 (WIN32: 87 ERROR_INVALID_PARAMETER).

Character encoding in the Subject Distinguished Name of certificate requests and issued certificates

Usually, the encoding of characters and strings in certificates is not a topic of great interest to the users of a PKI. However, there are cases where the default settings of the certification authority do not provide the desired results.