Hello, I am experimenting with the CrossCertificateDistributionPoint extension in Root CA certificates, but I am wondering how this extension is managed during the chain bulding process. I have the following environment: - offline root CA, renewing with new key pairs and with CrossCertificateDistributionPointExtensions defined in CAPolicy.inf. The URLs are updated at each key renew to reflect the name changes; so, with the third renew (certificate numbered (3)) , the CAPolicy.inf section is [CrossCertificateDistributionPointsExtension] SyncDeltaTime = 600 URL = http://myURL.local/root/ccdp/MyCAName(3-2).crt URL = http://myURL.local/root/ccdp/MyCAName(3-4).crt - online AD-integrated issuing CA; this system is also used with IIS for HTTP AIA, CDP and CCDP - one windows XP client - one windows server 2008 R2 used as a client With root certificate #2, I have issued an Issuing CA certificate, and then an end-entity certificate. Then, I renewd the Root CA certificate and deployed this only certificate to the clients, removing previous certificates, so that there is not a direct trust from the end-entity certificates a root certificate, but cross cert is needed. The cert is published in the enterprise store, via AD publication. I have found the following behaviours when opening the end-entity certificate: - Windows XP reads the CCDP extension from the distributed Root certificate #3, downloads the available cross cert and builds a correct chain from the root cert to the end-entity certificate. The result is as expected, although there is a drawback: this behaviour is replicated every time a chain building is needed, so when I use Internet Explorer to open a public HTTPS site with a Verisign chain, the chaining engine tries to download the cross-certs. And if the HTTP server is not available, there is a 15 seconds timeout before proceeding. - Windows server 2008 R2 does not download the cross cert, and builds a chain that terminates in a non-trusted certificate. (Additionally, when I try from the domain controller, the behaviour is slighty different: the chain is built using the issuing CA certificate and the Root CA certifcate #3, which has not issued the Issuin CA cert, so I got a chain up to a trusted anchor but with a signing error). I have looked for the available information on the certificate chaining process, either for WinXP and for newer systems, but I found no clear answer for this behaviour. At least, I can understand the Windows XP behaviour (looks for all possible chains using all Root certs available and then finds the best one), but cannot understand how Windows server works. Anyone has found this behaviour and knowns how to have windows server 2008 check the CCDP extension? Thank you Roberto

Hi, The cross certificate distribution point (CCDP) extension identifies where cross certificates related to a particular certificate can be obtained and how often that location is updated. Windows XP and later operating systems use this extension for the discovery of cross-certificates that might be used during the path discovery and chain building process. For details: Windows Server 2008 R2 CAPolicy.inf Syntax http://blogs.technet.com/b/askds/archive/2009/10/15/windows-server-2008-r2-capolicy-inf-syntax.aspx How CA Certificates Work http://technet.microsoft.com/en-us/library/cc737264(v=ws.10).aspx Cross-Certification Distribution Point Extensions http://social.technet.microsoft.com/wiki/contents/articles/4954.certificate-status-and-revocation-checking.aspx#CRL_Distribution_Point_Extensions Hope this helps! Best regards Elytis Cheng TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Elytis Cheng TechNet Community Support

Hi, Unfortunately, this does not help. I already know what CCDP is and what is reported on those links. As you can read from my post, the problem is HOW clients effectively use this information during chain building; for example: - why Windows XP always looks for a cross certificate from a private enterprise CA when tries to connect to a public SSL web server protected with a Verisign certificate that ends up to a trusted Verisign root? This means a 15 seconds delay due to timeout before opening any SSL-protected web page if the CCDP is not available or reachable; - why Windows server 2008 R2 does never look for cross certificates in CCDP URLs and ends up building untrusted chains? It seems that check of CCDP ha been dropped; is that correct? Thank you

Hello, Thank you for your post. This is a quick note to let you know that we are performing research on this issue. Best Regards Elytis Cheng Elytis Cheng TechNet Community Support

Thank you, I am available if you need a more detailed description of my findings, or some further testing. Regards

Hello, I have collected the two logs; unfortunately, the WinXP one is partially written in italian. Some hints: the leaf certificate has serial ending "00 0a"the issuing CA cert (available as enterprise CA) has serial ending "00 0b"the root CA of the issuing CA has serial ending "b5 65" and is NOT published on Active Directorythe rekeyd root CA has serial ending "ea 96" and is published on AD The certutil.exe installed on the winXP machine is taken from the Windows server 2003 Admin Pack SP2 (WindowsServer2003-KB340178-SP2-x86-ITA.msi) I have launched certutil as local administrator, so any LDAP search on AD is not authenticated. The IIS hosting CDP, AIA and CCDP via HTTP is up, running and reachable via Internet explorer from the two machines. From WinXP: 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version Autorit emittente: CN=CUSTOMER NAME Holding CA OU=CUSTOMER NAME O=CUSTOMER ORG C=IT Soggetto: CN=prova.domain.it Numero di serie certificato: 11784f6e00010000000a dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwRevocationFreshnessTime: 2 Weeks, 17 Hours, 24 Minutes, 19 Seconds SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwRevocationFreshnessTime: 2 Weeks, 17 Hours, 24 Minutes, 19 Seconds CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=CUSTOMER NAME Holding CA, OU=CUSTOMER NAME, O=CUSTOMER ORG, C=IT Subject: CN=prova.domain.it Serial: 11784f6e00010000000a Template: 1.3.6.1.4.1.311.21.8.4898197.2237363.10046605.8424177.6578076.198.7372262.433957 77 54 47 75 9b 1c 4b ac 42 23 a7 51 be 73 bf 02 91 7b 99 e1 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- AIA certificato ---------------- 319.1656.0: 0x8007052b (WIN32: 1323): ldap:///CN=CUSTOMER%20NAME%20Holding%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?cACertificate?base?objectClass=certificationAuthority 319.1656.0: 0x80070194 (WIN32: 404): http://pki.domain.it:88/hbl/cert/CUSTOMER%20NAME%20Holding%20CA(1).crt Operazione non riuscita "AIA" Ora: 0 Errore durante il recupero dell'URL: Impossibile aggiornare la password. Il valore fornito per la password corrente non corrisponde. 0x8007052b (WIN32: 1323) ldap:///CN=CUSTOMER%20NAME%20Holding%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?cACertificate?base?objectClass=certificationAuthority Operazione non riuscita "AIA" Ora: 0 Errore durante il recupero dell'URL: Errore 0x80070194 (WIN32: 404) http://pki.domain.it:88/hbl/cert/CUSTOMER%20NAME%20Holding%20CA(1).crt ---------------- CDP certificato ---------------- 319.1862.0: 0x8007052b (WIN32: 1323): ldap:///CN=CUSTOMER%20NAME%20Holding%20CA(1),CN=HBL-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint 319.2099.0: 0x8007052b (WIN32: 1323): ldap:///CN=CUSTOMER%20NAME%20Holding%20CA(1),CN=HBL-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint Operazione non riuscita "CDP" Ora: 0 Errore durante il recupero dell'URL: Impossibile aggiornare la password. Il valore fornito per la password corrente non corrisponde. 0x8007052b (WIN32: 1323) ldap:///CN=CUSTOMER%20NAME%20Holding%20CA(1),CN=HBL-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Verificato "Base CRL (25)" Ora: 0 [1.0] http://pki.domain.it:88/hbl/crl/CUSTOMER%20NAME%20Holding%20CA(1).crl Operazione non riuscita "CDP" Ora: 0 Errore durante il recupero dell'URL: Impossibile aggiornare la password. Il valore fornito per la password corrente non corrisponde. 0x8007052b (WIN32: 1323) [1.0.0] ldap:///CN=CUSTOMER%20NAME%20Holding%20CA(1),CN=HBL-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint Verificato "Delta CRL (25)" Ora: 0 [1.0.1] http://pki.domain.it:88/hbl/crl/CUSTOMER%20NAME%20Holding%20CA(1)+.crl ---------------- CDP Base CRL ---------------- 319.1862.0: 0x8007052b (WIN32: 1323): ldap:///CN=CUSTOMER%20NAME%20Holding%20CA(1),CN=HBL-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint Operazione non riuscita "CDP" Ora: 0 Errore durante il recupero dell'URL: Impossibile aggiornare la password. Il valore fornito per la password corrente non corrisponde. 0x8007052b (WIN32: 1323) ldap:///CN=CUSTOMER%20NAME%20Holding%20CA(1),CN=HBL-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint OK "Delta CRL (25)" Ora: 0 [1.0] http://pki.domain.it:88/hbl/crl/CUSTOMER%20NAME%20Holding%20CA(1)+.crl -------------------------------- CRL 25: Issuer: CN=CUSTOMER NAME Holding CA, OU=CUSTOMER NAME, O=CUSTOMER ORG, C=IT 7b 9e 1b e5 30 04 d0 5c 60 d1 6e e3 64 2a 85 ce 03 ed ad 47 Delta CRL 25: Issuer: CN=CUSTOMER NAME Holding CA, OU=CUSTOMER NAME, O=CUSTOMER ORG, C=IT 62 95 c8 21 5e ca 4c c1 68 49 1a 11 c9 44 e6 7a 53 95 94 e5 Application[0] = 1.3.6.1.5.5.7.3.1 Autenticazione server CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=CUSTOMER NAME Root CA, O=CUSTOMER ORG, OU=CUSTOMER NAME, C=IT Subject: CN=CUSTOMER NAME Holding CA, OU=CUSTOMER NAME, O=CUSTOMER ORG, C=IT Serial: 119ff57900020000000b c5 f1 ba 9b a8 23 2e 41 ef 05 9b 75 66 b1 b4 f9 c1 1b b1 c6 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- AIA certificato ---------------- 319.1656.0: 0x8007052b (WIN32: 1323): ldap:///CN=CUSTOMER%20NAME%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?cACertificate?base?objectClass=certificationAuthority 319.1046.0: 0x80092012 (-2146885614) Operazione non riuscita "AIA" Ora: 0 Errore durante il recupero dell'URL: Impossibile aggiornare la password. Il valore fornito per la password corrente non corrisponde. 0x8007052b (WIN32: 1323) ldap:///CN=CUSTOMER%20NAME%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?cACertificate?base?objectClass=certificationAuthority Nessun CRL "Certificato (0)" Ora: 0 [1.0] http://pki.domain.it:88/root/cert/CUSTOMER%20NAME%20Root%20CA(2).crt ---------------- CDP certificato ---------------- 319.1862.0: 0x8007052b (WIN32: 1323): ldap:///CN=CUSTOMER%20NAME%20Root%20CA(2),CN=ROOT-CA,%20CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Operazione non riuscita "CDP" Ora: 0 Errore durante il recupero dell'URL: Impossibile aggiornare la password. Il valore fornito per la password corrente non corrisponde. 0x8007052b (WIN32: 1323) ldap:///CN=CUSTOMER%20NAME%20Root%20CA(2),CN=ROOT-CA,%20CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Verificato "Base CRL (6)" Ora: 0 [1.0] http://pki.domain.it:88/root/crl/CUSTOMER%20NAME%20Root%20CA(2).crl ---------------- CDP Base CRL ---------------- Nessun URL "Nessuna" Ora: 0 -------------------------------- CRL 6: Issuer: CN=CUSTOMER NAME Root CA, O=CUSTOMER ORG, OU=CUSTOMER NAME, C=IT 24 ce 16 77 84 c9 d6 9f 3b 62 11 d9 68 a7 6e 84 85 53 24 1b CertContext[0][2]: dwInfoStatus=102 dwErrorStatus=0 Issuer: CN=CUSTOMER NAME Root CA, O=CUSTOMER ORG, OU=CUSTOMER NAME, C=IT Subject: CN=CUSTOMER NAME Root CA, O=CUSTOMER ORG, OU=CUSTOMER NAME, C=IT Serial: 11ac73a700030000000e Template: CrossCA 8d d3 0e df 68 dd d2 73 d8 89 a5 d8 b8 42 31 c7 42 80 19 a0 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- AIA certificato ---------------- 319.1046.0: 0x80092012 (-2146885614) Nessun CRL "Certificato (0)" Ora: 0 [0.0] http://pki.domain.it:88/root/cert/CUSTOMER%20NAME%20Root%20CA(3).crt ---------------- CDP certificato ---------------- Verificato "Base CRL (6)" Ora: 0 [0.0] http://pki.domain.it:88/root/crl/CUSTOMER%20NAME%20Root%20CA(3).crl ---------------- CDP Base CRL ---------------- Nessun URL "Nessuna" Ora: 0 -------------------------------- CRL 6: Issuer: CN=CUSTOMER NAME Root CA, O=CUSTOMER ORG, OU=CUSTOMER NAME, C=IT bc 7f 6f f2 b5 e7 0e 51 ff 80 7e 3b 36 18 38 22 f7 2e 1f f5 Issuance[0] = 1.3.6.1.4.1.39449.1.1.2 CertContext[0][3]: dwInfoStatus=10c dwErrorStatus=0 Issuer: CN=CUSTOMER NAME Root CA, O=CUSTOMER ORG, OU=CUSTOMER NAME, C=IT Subject: CN=CUSTOMER NAME Root CA, O=CUSTOMER ORG, OU=CUSTOMER NAME, C=IT Serial: 2afa9770b7d748b140e07ca6e66fea96 95 f4 26 10 5a 27 c2 43 6a 87 32 99 1c 22 8c 30 24 8b 35 06 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ---------------- AIA certificato ---------------- Nessun URL "Nessuna" Ora: 0 ---------------- CDP certificato ---------------- Nessun URL "Nessuna" Ora: 0 -------------------------------- Issuance[0] = 1.3.6.1.4.1.39449.1.1.2 Exclude leaf cert: 58 29 d9 7d a3 48 0f a2 b9 6d 23 8a 77 88 d8 f8 35 db cd bf Full chain: cb e1 99 22 fd 78 4c 30 28 7d 14 16 cb d8 0a 76 26 19 f8 64 ------------------------------------ Criteri di rilascio verificati: Nessuna Criteri di applicazione verificati: 1.3.6.1.5.5.7.3.1 Autenticazione server Controllo di revoca certificato foglia superato CertUtil: - Esecuzione comando verify riuscita. From Win2k8R2: Issuer: CN=CUSTOMER NAME Holding CA OU=CUSTOMER NAME O=CUSTOMER ORG C=IT Subject: CN=prova.domain.it Cert Serial Number: 11784f6e00010000000a dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20) ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20) SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: CN=CUSTOMER NAME Holding CA, OU=CUSTOMER NAME, O=CUSTOMER ORG, C=IT NotBefore: 5/17/2012 1:11 AM NotAfter: 5/17/2014 1:11 AM Subject: CN=prova.domain.it Serial: 11784f6e00010000000a Template: 1.3.6.1.4.1.311.21.8.4898197.2237363.10046605.8424177.6578076.198.7372262.433957 77 54 47 75 9b 1c 4b ac 42 23 a7 51 be 73 bf 02 91 7b 99 e1 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificate AIA ---------------- Failed "AIA" Time: 0 Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326) ldap:///CN=CUSTOMER%20NAME%20Holding%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?cACertificate?base?objectClass=certificationAuthority Failed "AIA" Time: 0 Error retrieving URL: Error 0x80190194 (-2145844844) http://pki.domain.it:88/hbl/cert/CUSTOMER%20NAME%20Holding%20CA(1).crt ---------------- Certificate CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326) ldap:///CN=CUSTOMER%20NAME%20Holding%20CA(1),CN=HBL-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Verified "Base CRL (19)" Time: 10 [1.0] http://pki.domain.it:88/hbl/crl/CUSTOMER%20NAME%20Holding%20CA(1).crl Failed "CDP" Time: 0 Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326) [1.0.0] ldap:///CN=CUSTOMER%20NAME%20Holding%20CA(1),CN=HBL-CA,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?deltaRevocationList?base?objectClass=cRLDistributionPoint Verified "Delta CRL (19)" Time: 10 [1.0.1] http://pki.domain.it:88/hbl/crl/CUSTOMER%20NAME%20Holding%20CA(1)+.crl ---------------- Certificate OCSP ---------------- Unsuccessful "OCSP" Time: 11 [0.0] http://pki.domain.it:88/OCSP -------------------------------- Application[0] = 1.3.6.1.5.5.7.3.1 Server Authentication CertContext[0][1]: dwInfoStatus=102 dwErrorStatus=1000040 Issuer: CN=CUSTOMER NAME Root CA, O=CUSTOMER ORG, OU=CUSTOMER NAME, C=IT NotBefore: 5/17/2012 1:04 AM NotAfter: 5/17/2018 1:14 AM Subject: CN=CUSTOMER NAME Holding CA, OU=CUSTOMER NAME, O=CUSTOMER ORG, C=IT Serial: 119ff57900020000000b c5 f1 ba 9b a8 23 2e 41 ef 05 9b 75 66 b1 b4 f9 c1 1b b1 c6 Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40) Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000) ---------------- Certificate AIA ---------------- Failed "AIA" Time: 0 Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326) ldap:///CN=CUSTOMER%20NAME%20Root%20CA,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?cACertificate?base?objectClass=certificationAuthority Verified "Certificate (0)" Time: 10 [1.0] http://pki.domain.it:88/root/cert/CUSTOMER%20NAME%20Root%20CA(2).crt ---------------- Certificate CDP ---------------- Failed "CDP" Time: 0 Error retrieving URL: Logon failure: unknown user name or bad password. 0x8007052e (WIN32: 1326) ldap:///CN=CUSTOMER%20NAME%20Root%20CA(2),CN=ROOT-CA,%20CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain,DC=local?certificateRevocationList?base?objectClass=cRLDistributionPoint Verified "Base CRL (06)" Time: 10 [1.0] http://pki.domain.it:88/root/crl/CUSTOMER%20NAME%20Root%20CA(2).crl ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- CertContext[0][2]: dwInfoStatus=10c dwErrorStatus=20 Issuer: CN=CUSTOMER NAME Root CA, O=CUSTOMER ORG, OU=CUSTOMER NAME, C=IT NotBefore: 5/17/2012 12:42 AM NotAfter: 5/17/2022 12:52 AM Subject: CN=CUSTOMER NAME Root CA, O=CUSTOMER ORG, OU=CUSTOMER NAME, C=IT Serial: 720cb5d4a4088d9c46fd93fe8f18b565 77 b3 95 23 62 70 95 66 aa ee ff f2 5b fa d5 f5 12 14 39 cf Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20) ---------------- Certificate AIA ---------------- No URLs "None" Time: 0 ---------------- Certificate CDP ---------------- No URLs "None" Time: 0 ---------------- Certificate OCSP ---------------- No URLs "None" Time: 0 -------------------------------- Issuance[0] = 1.3.6.1.4.1.39449.1.1.2 Exclude leaf cert: 70 7c cf bf fc 0c d7 8f 0b cd 22 ef d5 fb 14 14 69 a3 84 43 Full chain: d4 a2 ba ed 0f 32 ed df 0f 81 81 31 bb 40 01 22 a9 c6 6e 3b Issuer: CN=CUSTOMER NAME Holding CA, OU=CUSTOMER NAME, O=CUSTOMER ORG, C=IT NotBefore: 5/17/2012 1:11 AM NotAfter: 5/17/2014 1:11 AM Subject: CN=prova.domain.it Serial: 11784f6e00010000000a Template: 1.3.6.1.4.1.311.21.8.4898197.2237363.10046605.8424177.6578076.198.7372262.433957 77 54 47 75 9b 1c 4b ac 42 23 a7 51 be 73 bf 02 91 7b 99 e1 A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487) ------------------------------------ Verifies against UNTRUSTED root Leaf certificate revocation check passed CertUtil: -verify command completed successfully. Regards

No, that certificate is not present in Intermediate certification authorities (I also checked the current user store). The only certificates present (in the enterprise physical container, as expected) are the Root CA (serial ending ea96) and the Issuing CA (serial ending 000b). The same applies for the winXP machine.

is there any update?Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hello, Sorry for the delay, I could try the registry patch only now. Unfortunately, nothing changes. This is the key I added: Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine] [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\SystemCertificates\ChainEngine\Config] "Options"=dword:00000004 Then restarted the server and reopened the leaf certificate. The result is the same: the chain is built but terminates in a non-trusted root. I checked network traffic with wireshark and also checked IIS logs; no cross certificate is downloaded. Regards

if the suggestion does not work, I think it is hard to troubleshoot this issue by forum. I suggest you open a case for it. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Well, my customer decided to give up with CCDP, so I really do not need to open a case. I think I gave enough information to reproduce the issue, and I think this looks like a bug - or, simply, Microsoft decided to abandon the support to the CCDP extension. Anyway, I will add it to my personal W2k8r2 "bugs & undocumented" list. Regards