Share via

Certification Path in Certificates Snap-in of mmc ok, but in IIS Manager not

Stefan Horz 3,466 Reputation points
2023-04-24T18:43:00.0733333+00:00

Hi, I exported a Server and Client Authenitication Certificate with the private key protected by password from Windows Server 2019. I re-installed the System with Windows Server 2016 and imported the pfx again. In the Certificates Snap-in of mmc.exe the Certificate looks ok: 1

2

But in Internet Information Service (IIS) Manager I get "Windows does not have enough information to verify this certificate." and "The issuer of this certificate could not be found.". 3

4

I guess I have just checked "Include all certificates in the certification path if possible." by exporting (which is default). I there any chance or any advice to get the Certificate (which looks ok in mmc) also working in IIS? Regards, Stefan

Windows development Internet Information Services
Windows for business Windows Server User experience Other
0 comments
Accepted answer
  1. TengFeiXie-MSFT 346 Reputation points
    2023-04-25T07:24:59.73+00:00

    Hi, @Stefan Horz

    It looks like it lost the Origin CA Root Certificate. This error occurs when the server is missing the correct root and intermediate certificate from its trusted store.

    Make sure that the CA that issued your certificate is trusted by Windows, or install the CA’s certificate into the trusted root certification authorities store area. Make sure that the certificate chain is complete and includes all the intermediate certificates up to the root CA.

    To solve this problem, verify the correct root and intermediate certificate enabled within your server's trusted store. 

    1. Start Digital Certificate Manager (DCM).
    2. From navigation panel, click Select a Certificate Store, then *SYSTEM
    3. Enter the Certificate Store password and click Continue
    4. From navigation panel, Select Validate Certificate Authority (CA) certificate
    5. Ensure the relevant certificate is enabled
    6. If the certificate is not enabled, ensure enable and import your signed certificate.

    If any of these certificates are missing, import the root and/or intermediate certificate to the server's trusted store from /ROOTS|here. Source link: https://myssl.ssl247.be/kb/ssl-certificates/troubleshooting/error-certificate-validation-issuer-not-in-certificate-store-or-not-enabled.

    Best Regard,

    TengFei Xie

    If the answer is the right solution, please click "Accept Answer" and kindly upvote. If you have extra questions about this answer, please click "Comment". Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Limitless Technology 44,746 Reputation points
    2023-04-25T14:09:01.89+00:00

    Hello there, You can use the Microsoft tool to verify this. This article describes the information collected from a machine when you run the Microsoft Internet Information Services (IIS) Secure Sockets Layer (SSL) Diagnostic on a computer that is experiencing problems while browsing to web sites running over SSL. https://learn.microsoft.com/en-us/previous-versions/troubleshoot/iis/ssl-diagnostic-tool-sdp If the certificate is for a publicly-accessible site you can use a number of online certificate checkers such as Qualys, DigiCert, and SSL Shopper. Since this is for a client you should probably add a certificate expiration check to your NMS (you do monitor your network, right?) For example, Nagios has several plugins that can check SSL certificates for validity and impending expiration. Hope this resolves your Query !! --If the reply is helpful, please Upvote and Accept it as an answer--

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.