CA CERT_E_UNTRUSTEDROOT upon issuance of certificate

Question

_{Tuesday, April 19, 2016 5:40 AM}

Hi All,

I need to issue a certificate using policy.inf from an enterprise Root CA in Windows Server 2012 R2.

I've connected the CA with HSM, and created the template for the cert issuance, such as getting the provider to be the HSM KSP.

I can issue some certs previously just fine with the template from GUI, but I tried issuing from policy.inf:

[Version]
Signature = "$Windows NT$"

[NewRequest] 
Subject = "C=SG, O=Ezlink, CN=test-server.com"
HashAlgorithm = SHA256
KeyAlgorithm = RSA
KeyLength = 2048
Providername = "Safenet Key Storage Provider"
KeyUsage = 0xa0
MachineKeySet = TRUE 

[RequestAttributes]
CertificateTemplate=ComputerHSM

Then when I submit, I get this error:

RequestId: 13
RequestId: "13"
Certificate not issued (Denied) Error Constructing or Publishing Certificate A c
ertificate chain processed, but terminated in a root certificate which is not tr
usted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)
Certificate Request Processor: A certificate chain processed, but terminated in
a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146
762487 CERT_E_UNTRUSTEDROOT)
Error Constructing or Publishing Certificate

Afterwards, I can't issue anymore cert even with GUI. Any guidance would be greatly appreciated, thank you kindly,

LOTRCA

All replies (1)

_{Wednesday, April 20, 2016 5:05 PM ✅Answered}

To me this sounds like your Root CA is not trusted by the machine you are on. Is your Root CA still valid? If you go into Certlm.msc and go to Personal\Certificates, is the CA certificate there? Is it also in Trusted Root Certificate Authorities?

Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years. Connect with Mark at http://www.pkisolutions.com