The certificate chain was issued by an authority that is not trusted
search cancel

The certificate chain was issued by an authority that is not trusted

book

Article ID: 176967

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Computer was not able to register with a secured (https) SMP (Symantec Management Platform) Server.  Reviewing the Altiris Agent logs from the client having the issue the following error messages were found.

Module: AeXNetComms.dll
Source: SecureSocket
Description: InitializeSecurityContext Error Error -2146893019 (2)

Module: AeXNetComms.dll
Source: SecureSocket
Description: Security context handle is invalid (-2146893055)

Module: AeXNetComms.dll
Source: AeXNetworkTransport
Description: Get '<URL TO NS TO CREATE A RESOURCE>' failed: HTTP Request Failed: The certificate chain was issued by an authority that is not trusted. (-2146893019)

Module: AeXNetComms.dll
Source: CoNetworkTransport(116)
Description: HTTP Request Failed: The certificate chain was issued by an authority that is not trusted. (-2146893019)

Module: AeXNSAgent.exe
Source: ConfigServer
Description: RequestPolicies failed: HTTP Request Failed: The certificate chain was issued by an authority that is not trusted. (-2146893019)

Environment

ITMS 8.x

Cause

The certificate chain for the CA that assigned the SSL certificate to the SMP Server is not contained within the local certificate store of the client.  In this specific case the certificate chain was being installed via a GPO.  This specific computer had been moved to an OU outside the scope of the GPO.

The certificate for the CA used must reside in the "Trusted Root Certification Authorities/Certificates" certificate container. It would likely be best that it reside in the Computer/Local Computer container - and be assigned on computer basis in AD as well.

Resolution

Add the Certificate chain to the local certificate store on the system experiencing the issue.  After the certificate is added, a refresh of the client policies confirmed that the system was now able to communicate with the SMP Server as the system was assigned a GUID.

Steps to take to install the root certificate from a Windows Certificate Authority Server (CA):

  • On the Windows CA select the Download a CA Certificate, certificate chain, or CRL
  • Choose Download certificate chain
  • Choose the DSE type
  • Download the certificate in .p7b format
  • Import this into the Trusted Root Certification Authorities certificate store on all clients that need to trust the certificate chain (connect to the NS/SMP box)

NOTE: The following Microsoft Technet article provides guidance on how to utilize GPO's to distribute certificates:

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc738131(v=ws.10)?redirectedfrom=MSDN

Powered by Wolken Software