Assume the following scenario:
- A certificate is requested through the Network Device Enrollment Service (NDES).
- Renewal mode is used here, i.e. the certificate request is signed with an existing certificate.
- The request for the new certificate fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)
The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.
The error code is displayed only on the client, and it depends on the SCEP client used. The PSCertificateEnrollment PowerShell Module evaluates the error codes returned by NDES Server, but other clients may not.
On the NDES server itself, only the Event no. 28 logged, which, however, can easily be misleading.
Cause
The reason is that for using the renewal mode via NDES, the certification authority issuing the certificates to be renewed, Member of NTAuthCertificates must be. If the certificate authority has been removed from NTAuthCertificates, Renewal mode cannot be used.
Related links:
- Certificate Enrollment for Windows Systems via the Network Device Enrollment Service (NDES) with Windows PowerShell
- Network Device Enrollment Service (NDES) Basics
- Is there a dependency of the Network Devices Registration Service (NDES) with the NTAuthCertificates object?
- Editing the NTAuthCertificates object in Active Directory
English 
Deutsch