Hi there. A few Windows 7 computers are not updating their root certificates as evidenced by the fact that some websites report having a bad certificate, while that same website is fine from a computer not affected by the issue. The common thread on all of these computers is the "A certificate chain could not be built to a trusted root authority" event logged repeatedly in the event log. A google search yielded a lot of results, but they all seem to be pertaining to someone who wants to import their own CA and is having trouble doing that because of some issue that's easily solved. None seem to pertain to what I'm trying to do. Anyone have some insight into this? Log Name: Application Source: Microsoft-Windows-CAPI2 Date: 02/24/2011 3:44:31 PM Event ID: 4110 Task Category: None Level: Error Keywords: Classic User: N/A Computer: XXXXXXXXXXXX Description: Failed to add certificate to Third-Party Root Certification Authorities store with error: A certificate chain could not be built to a trusted root authority. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-CAPI2" Guid="{5bbca4a8-b209-48dc-a8c7-b23d3e5216fb}" EventSourceName="Microsoft-Windows-CAPI2" /> <EventID Qualifiers="0">4110</EventID> <Version>0</Version> <Level>2</Level> <Task>0</Task> <Opcode>0</Opcode> <Keywords>0x8080000000000000</Keywords> <TimeCreated SystemTime="2011-02-24T23:44:31.076764000Z" /> <EventRecordID>3050</EventRecordID> <Correlation /> <Execution ProcessID="1080" ThreadID="212" /> <Channel>Application</Channel> <Computer>XXXXXXXXXXXXX</Computer> <Security /> </System> <EventData> <Data> </Data> <Data>A certificate chain could not be built to a trusted root authority. </Data> </EventData> </Event>

Hi, Thanks for posting in Microsoft TechNet forums. According to my understanding, on some of your Windows 7 workstations, Trusted Root CA certificates do not appear to be downloading and installing from Windows Update correctly, and received the Event ID 4110 in the Event Viewer log. What’s your server? Have you automatically update the root certificates? I recommend you read these articles: Install an enterprise subordinate certification authority Deploying the PKI Certificates Required for Native Mode Best Regards, Miya Yao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com This posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi, This thread has come a bit further to describe the problem. http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/6d2d5927-b2e8-4f11-86a2-b787ca25cfd1

How's going? Please feel free to give us any update. Regards, MiyaThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

It works again after Microsoft distributed the new CTL on March 3rd-4th. http://social.technet.microsoft.com/wiki/contents/articles/troubleshoot-root-certificate-update-failure-march-3-2011.aspx?wa=wsignin1.0

Glad to hear it works. Regards, MiyaThis posting is provided "AS IS" with no warranties, and confers no rights. | Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.