Score:0

How do I fix missing or multiple CA certificates causing chain issues?

ne flag

There is only one enterprise CA server. The server has 4 certificates configured under properties > general. These certificates show up in the local store of all domain computers under "trusted root certification authorities". On my machine there are also 12 intermediate CA certificates listed for the same server. On the CA server, it lists 24 intermediate CA certs for itself in it's own local store.

If I go to sign a PDF, there are 20 chains and many of the chains are missing the root certificates: enter image description here

I have verified these problem root certificates are missing from the root CA and the local store.

  1. How do I fix this issue?
  2. Why are there so many chains?
  3. How can I reduce the number of root and intermediate CA certs floating around for the single CA server?
Ace avatar
vg flag
Ace
Digicert has a tool to certificates. https://www.digicert.com/kb/util/utility-repair-certificate-without-private-key.htm
naps1saps avatar
ne flag
Thanks but it's not helping with this issue :(
naps1saps avatar
ne flag
I had a theory that a predecessor had created a CA server before the current one nearly 10 years ago. I'm going through the decommissioning article from Microsoft and see two certificate distribution points (CDP) in AD Sites and Services. Assuming I can delete the old one but unsure. I bet this is where the missing Root cert references are coming from. Advice?
Ace avatar
vg flag
Ace
The simplest option is look in Active Directory Users and Computers, then locate the ‘Cert Publishers’ group and look at its members. Or you can run adsiedit.msc > CN=Certification Authorities, CN=Public Key Services, CN=Services, CN=Configuration, DC={domain-name},DC={domain-extension} @naps1saps
naps1saps avatar
ne flag
Problem is that both the old and new server used the same CN for the root CA and probably exported the certs and then imported them. They never coexisted. The old server does not exist in AD or in Certification Authorities. However it does exist as a folder in CDP. Reading best practice, whatever was done in the past was not best practice and now we have a mess. `Is it okay to delete the folder in CDP that has the old server name that doesn't exist?`
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.