Certificate validation fails when a certificate has multiple trusted certification paths to root CAs

Article translations Article translations
Article ID: 2831004 - View products that this article applies to.
Expand all | Collapse all

Symptoms

When a user tries to access a secured website, the user receives the following warning message in the web browser:
There is a problem with this website's security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.

After the user clicks Continue to this website (not recommended), the user can access the secured website. 

Cause

This issue occurs because the website certificate has multiple trusted certification paths on the web server. 

For example, assume that the client computer that you are using trusts "Root certification authority (CA) certificate (2)," and the web server trusts "Root CA certificate (1)" and "Root CA certificate (2)." Additionally, the certificate has the following two certification paths to the trusted root CAs on the web server: 
  1. Certification path 1: Website certificate - Intermediate CA certificate - Root CA certificate (1)
  2. Certification path 2: Website certificate - Intermediate CA certificate - Cross root CA certificate - Root CA certificate (2)
When the computer finds multiple trusted certification paths during the certificate validation process, Microsoft CryptoAPI selects the best certification path by calculating the score of each chain. A score is calculated based on the quality and quantity of the information that a certificate path can provide. If the scores for the multiple certification paths are the same, the shortest chain is selected.  

When Certification path 1 and Certification path 2 have the same quality score, CryptoAPI selects the shorter path (Certification path 1) and sends the path to the client. However, the client computer can verify the certificate only by using the longer certification path that links to Root CA certificate (2). Therefore, the certificate validation fails. 

Workaround

To work around this issue, delete or disable the certificate from the certification path that you do not want to use.

To do this, follow these steps:
  1. Log on to the web server as a system administrator.
  2. Add the Certificate snap-in to Microsoft Management Console. To do this, follow these steps:
    1. Click Start, click Run, type mmc, and then press Enter.
    2. On the File menu, click Add/Remove Snap-in.
    3. Select Certificates, click Add, select Computer account, and then click Next.
    4. Select Local computer (the computer this console is running on), and then click Finish.
    5. Click OK.
  3. Expand Certificates (Local Computer) in the management console, and then locate the certificate on the certificate path that you do not want to use. 
    Note If the certificate is a root CA certificate, it is contained in Trusted Root Certification Authorities. If the certificate is an intermediate CA certificate, it is contained in Intermediate Certification Authorities.
  4. Delete or disable the certificate by using one of the following methods: 
    • To delete a certificate, right-click the certificate, and then click Delete.
    • To disable a certificate, right-click the certificate, click Properties, select Disable all purposes for this certificate, and then click OK.
  5. Restart the server if the issue is still occuring.
Additionally, if the Turn off Automatic Root Certificates Update Group Policy setting is disabled or not configured on the server, the certificate from the certification path that you do not want to use may be enabled or installed when the next chain building occurs. To change the Group Policy setting, follow these steps:
  1. Click Start, click Run, type gpedit.msc, and then press Enter.
  2. Expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.
  3. Double-click Turn off Automatic Root Certificates Update, select Enabled, and then click OK.
  4. Close the Local Group Policy Editor.

Status

This behavior is by design.

Properties

Article ID: 2831004 - Last Review: August 23, 2013 - Revision: 4.0
Applies to
  • Windows Server 2008 R2 Datacenter
  • Windows Server 2008 R2 Foundation
  • Windows Server 2008 R2 Standard
  • Windows Web Server 2008 R2
  • Windows 7 Enterprise
  • Windows 7 Home Premium
  • Windows 7 Home Basic
  • Windows 7 Professional
  • Windows 7 Ultimate
  • Windows Server 2008 Datacenter
  • Windows Server 2008 Foundation
  • Windows Server 2008 Standard
  • Windows Web Server 2008
  • Windows Vista Business
  • Windows Vista Enterprise
  • Windows Vista Home Basic
  • Windows Vista Home Premium
  • Windows Vista Ultimate
Keywords: 
kbprb kbsurveynew kbexpertiseadvanced KB2831004

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com