Certificate validation fails when a certificate has multiple trusted certification paths to root CAs
The security certificate presented by this website was not issued by a trusted certificate authority.
After the user clicks Continue to this website (not recommended), the user can access the secured website.
For example, assume that the client computer that you are using trusts "Root certification authority (CA) certificate (2)," and the web server trusts "Root CA certificate (1)" and "Root CA certificate (2)." Additionally, the certificate has the following two certification paths to the trusted root CAs on the web server:
- Certification path 1: Website certificate - Intermediate CA certificate - Root CA certificate (1)
- Certification path 2: Website certificate - Intermediate CA certificate - Cross root CA certificate - Root CA certificate (2)
When Certification path 1 and Certification path 2 have the same quality score, CryptoAPI selects the shorter path (Certification path 1) and sends the path to the client. However, the client computer can verify the certificate only by using the longer certification path that links to Root CA certificate (2). Therefore, the certificate validation fails.
To do this, follow these steps:
- Log on to the web server as a system administrator.
- Add the Certificate snap-in to Microsoft Management Console. To do this, follow these steps:
- Click Start, click Run, type mmc, and then press Enter.
- On the File menu, click Add/Remove Snap-in.
- Select Certificates, click Add, select Computer account, and then click Next.
- Select Local computer (the computer this console is running on), and then click Finish.
- Click OK.
- Expand Certificates (Local Computer) in the management console, and then locate the certificate on the certificate path that you do not want to use. Note If the certificate is a root CA certificate, it is contained in Trusted Root Certification Authorities. If the certificate is an intermediate CA certificate, it is contained in Intermediate Certification Authorities.
- Delete or disable the certificate by using one of the following methods:
- To delete a certificate, right-click the certificate, and then click Delete.
- To disable a certificate, right-click the certificate, click Properties, select Disable all purposes for this certificate, and then click OK.
- Restart the server if the issue is still occuring.
- Click Start, click Run, type gpedit.msc, and then press Enter.
- Expand Computer Configuration, expand Administrative Templates, expand System, expand Internet Communication Management, and then click Internet Communication settings.
- Double-click Turn off Automatic Root Certificates Update, select Enabled, and then click OK.
- Close the Local Group Policy Editor.
Id. de artículo: 2831004 - Última revisión: 08/23/2013 07:18:00 - Revisión: 4.0
- kbprb kbsurveynew kbexpertiseadvanced KB2831004