Requesting a certificate fails with the error message "A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)".

Author Uwe GradeneggerPosted on Categories Security, Troubleshooting, Certification AuthorityTags

Here's the scenario:

  • A user applies for a certificate from an Active Directory integrated certification authority (Enterprise Certification Authority).
  • The certificate of the certification authority is trusted, i.e. it is located in the Trusted Root Certification Authorities store.
  • The certificate request fails with the following error message:
A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)

The Certification Authority will use the Event with no. 22 log.

Cause

In this case, an attempt was made to archive private keys. For this purpose, a key recovery agent (KRA) was configured on the certification authority. However, the certification authority that issued the certificate of the key recovery agent was deleted from the NTAuthCertificates Object removed.

The NTAuthCertificates object is located below the Public Key Services container within the configuration partition of the Active Directory forest. It contains all the certificate authority certificates that can be used for certificate-based logon in the Windows ecosystem.

The full LDAP path is:

CN=NTAuthCertificates,CN=Public Key Services,CN=Services,CN=Configuration,{Forest-Root-Domain}

The following certificate-based functions require the presence of the CA certificate in NTAuthCertificates object:

FunctionDescription
Enroll on Behalf Of (EOBO)The CA certificate of the certification authority that issues the certificates for the enrollment agents must be located in NTAuthCertificates.
Key Recovery / Private Key ArchivingThe CA certificate of the certification authority that archives the keys must be located in NTAuthCertificates.
Smartcard LogonThe CA certificate of the certification authority that issues the certificates of the domain controllers and logon users must be located in NTAuthCertificates.
Windows Hello for BusinessIdentical to Smartcard Logon. If Windows Hello for Business is used without certificates, only the certification authority for domain controllers must be entered.
Network Policy Server (Network Policy Server, NPS) when certificate-based logins are processed (e.g. 802.1x over wireless or wired network, DirectAccess, Always ON VPN).The CA certificate of the certification authority that issues the certificates of the logging in users or computers must be located in NTAuthCertificates.
EFS File Recovery AgentsThe CA certificate of the certification authority that issues the certificates of the file recovery agents must be located in NTAuthCertificates.
IIS Client Certificate Mapping (against Active Directory)The CA certificate of the certification authority that issues the certificates of the logging in users must be located in NTAuthCertificates.
Network Device Enrollment Service (Network Device Enrollment Service, NDES), Renewal mode onlyOnly affects renewal mode, i.e. signing a certificate request with an existing certificate.
The CA certificate of the certification authority that issued the certificates of the certificates to be renewed must be located in NTAuthCertificates.

If an Active Directory integrated certificate authority (Enterprise CA) is newly installed, its CA certificate is automatically copied to the NTAuthCertificates object by the installation routine. In the present case, the CA certificate was subsequently removed from the object.

The object can be inspected with the ADSI Editor (adsiedit.msc), for example, but the CA certificates cannot be viewed directly here because they are stored as a byte array.

However, one can check which certificates are in NTAuthCertificates with the following command line command, for example:

certutil -enterprise -verifystore NTAuth

In the image above, you can see that a CERT_E_UNTRUSTEDCA message also appears here, although a certification authority certificate is present. This seems normal, here you should not be irritated by the message.

Likewise, a check is possible with the Enterprise PKI Management Console (pkiview.msc), which is installed together with the Certificate Authority Management tools. Within the tree view on the left, right-click on the top node and select Manage AD Containers...

Then the list of certificates can be found in the NTAuthCertificates tab.

So if it turns out that the certificate authority certificate is not included here, you can add it in the same dialog.

Likewise, it is possible to add a certificate authority certificate with the following command line command.

certutil -dspublish {filename} NTAuthCA

For security reasons, it may well be advisable for a certificate authority certificate not to be in the NTAuthCertificates object. Added CA certificates are considered trusted by all previously listed functions. This can be a security risk, assuming the CA is taken over by an attacker. Before adding new CA certificates to the NTAuthCertificates object, a security assessment should take place. Usually there is a reason that the CA certificate on NTAuthCertificates was removed.

Related links:

3 thoughts on “Die Beantragung eines Zertifikats schlägt fehl mit der Fehlermeldung „A certification chain processed correctly, but one of the CA certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)“”

  1. Pingback: Editing the NTAuthCertificates object in Active Directory - Uwe Gradenegger
  2. Pingback: Details about the event with ID 52 of the source Microsoft-Windows-CertificateServicesClient-CertEnroll - Uwe Gradenegger
  3. Pingback: Remote desktop certificate request fails with error message "The requested certificate template is not supported by this CA." - Uwe Gradenegger

Comments are closed.

en_USEnglish
de_DEDeutsch en_USEnglish