The certificate chain was issued by an authority that is not trusted

search cancel

The certificate chain was issued by an authority that is not trusted

book

Article ID: 176967

calendar_today

Updated On:

Products

IT Management Suite

Issue/Introduction

Computer was not able to register with a secured (https) Notification Server. Reviewing the Altiris Agent logs from the client having the issue the following error messages were found.

Module: AeXNetComms.dll
Source: SecureSocket
Description: InitializeSecurityContext Error Error -2146893019 (2)

Module: AeXNetComms.dll
Source: SecureSocket
Description: Security context handle is invalid (-2146893055)

Module: AeXNetComms.dll
Source: AeXNetworkTransport
Description: Get '<URL TO NS TO CREATE A RESOURCE>' failed: HTTP Request Failed: The certificate chain was issued by an authority that is not trusted. (-2146893019)

Module: AeXNetComms.dll
Source: CoNetworkTransport(116)
Description: HTTP Request Failed: The certificate chain was issued by an authority that is not trusted. (-2146893019)

Module: AeXNSAgent.exe
Source: ConfigServer
Description: RequestPolicies failed: HTTP Request Failed: The certificate chain was issued by an authority that is not trusted. (-2146893019)

Cause

The certificate chain for the CA that assigned the SSL certificate to the Notification Server is not contained within the local certificate store of the client. In this specific case the customer was applying the certificate chain via a GPO. This specific computer had been moved to an OU outside the scope of the GPO.

The certificate for the CA used must reside in the "Trusted Root Certification Authorities/Certificates" certificate container. It would likely be best that it reside in the Computer/Local Computer container - and be assigned on computer basis in AD as well.

Resolution

The customer added the Certificate chain to the local certificate store on the system experiencing the issue. After the certificate was added a refresh of the client policies confirmed that the system was now able to communicate with the Notification Server as the system was assigned a GUID.

Steps to take to install the root certificate from a Windows Certificate Authority Server (CA);

On the Windows CA select the Download a CA Certificate, certificate chain, or CRL
Choose Download certificate chain
Choose the DSE type
Download the certificate in .p7b format
Import this into the Trusted Root Certification Authorities certificate store on all clients that need to trust the certificate chain (connect to the NS/SMP box)
- See this Microsoft Technet article on how to utilize GPO's to distribute the certificate; http://technet.microsoft.com/en-us/library/cc738131(WS.10).aspx

Applies To
Notification Server 6.0 SP3
Symantec Management Platform 7.0

Notification Server/Symantec Management Platform configured to use HTTPS/SSL

Feedback

thumb_up Yes

thumb_down No