How do I fix missing or multiple CA certificates causing chain issues?

naps1saps

10/7/23, 10:24 PM

There is only one enterprise CA server. The server has 4 certificates configured under properties > general. These certificates show up in the local store of all domain computers under "trusted root certification authorities". On my machine there are also 12 intermediate CA certificates listed for the same server. On the CA server, it lists 24 intermediate CA certs for itself in it's own local store.

If I go to sign a PDF, there are 20 chains and many of the chains are missing the root certificates:

I have verified these problem root certificates are missing from the root CA and the local store.

How do I fix this issue?
Why are there so many chains?
How can I reduce the number of root and intermediate CA certs floating around for the single CA server?

112

0 + 5

certificate-authority

Ace

10/7/23, 11:07 PM

Digicert has a tool to certificates. https://www.digicert.com/kb/util/utility-repair-certificate-without-private-key.htm

naps1saps

10/10/23, 8:49 PM

Thanks but it's not helping with this issue :(

naps1saps

10/10/23, 11:03 PM

I had a theory that a predecessor had created a CA server before the current one nearly 10 years ago. I'm going through the decommissioning article from Microsoft and see two certificate distribution points (CDP) in AD Sites and Services. Assuming I can delete the old one but unsure. I bet this is where the missing Root cert references are coming from. Advice?

Ace

10/10/23, 11:49 PM

The simplest option is look in Active Directory Users and Computers, then locate the ‘Cert Publishers’ group and look at its members. Or you can run adsiedit.msc > CN=Certification Authorities, CN=Public Key Services, CN=Services, CN=Configuration, DC={domain-name},DC={domain-extension} @naps1saps

naps1saps

10/11/23, 5:20 PM

Problem is that both the old and new server used the same CN for the root CA and probably exported the certs and then imported them. They never coexisted. The old server does not exist in AD or in Certification Authorities. However it does exist as a folder in CDP. Reading best practice, whatever was done in the past was not best practice and now we have a mess. `Is it okay to delete the folder in CDP that has the old server name that doesn't exist?`

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: How do I fix missing or multiple CA certificates causing chain issues?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.