The certification authority service does not start and throws the error message "A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)".

Assume the following scenario:

• A certification authority is implemented in the network.
• The certification authority service does not start.
• When trying to start the Certification Authority service, you get the following error message:

A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING)

A corresponding Event with no. 100 can also be found in the event display of the certification authority:

Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. ADCS Labor Issuing CA 3 A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486 CERT_E_CHAINING).

Cause

This error occurs only with the currently used certificate authority certificate. The certification authority always uses the last of the installed certificates for issuing certificates. This error should not occur with the previous certification authority certificates.

The certification authority cannot establish the chain of trust to the certification authority certificate.

Solution: Establish trust status

In addition to the certification authority itself, all other participants must of course also trust the certificates. It therefore makes sense not only to import the certificates into the local certificate store of the certification authority, but also to distribute them centrally throughout the entire Active Directory structure, e.g. via group policies.

In order to start the certification authority service, the certificate chain, i.e. all certificates up to the root certification authority, must be installed in the computer certificate store of the certification authority computer. This can be done via the certificate management console for the local computer account (certlm.msc).

• Root Certification Authority certificates must be stored in the Trusted Root Certification Authorities certificate store of the computer account.
• Intermediate Certification Authorities certificates must be stored in the "Intermediate Certification Authorities" certificate store of the computer account

Related links:

• The certification authority service does not start and throws the error message "A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)"
• The certificate authority service does not start and throws the error message "0x80092013 (-2146885613 CRYPT_E_REVOCATION_OFFLINE)".
• The certification authority service does not start and throws the error message "The certificate is revoked. 0x80092010 (-2146885616 CRYPT_E_REVOKED)".
• What impact does a non-functioning revocation list of a certification authority certificate have on the certification authority?
• What impact does the revocation of a certification authority certificate have on the certification authority?
• What impact does the revocation of the trust status of a root certification authority certificate have on the certification authority