Problem of "Certificate chain was issued by an authority that is not trusted", I have imported the CA certificate
Hi, everybody.
I publish an internal HTTPS website using TMG 2010 RC1.
I do import the root certificate to the trusted root certificate store of the computer running TMG. There is no warning when I use IE in the TMG's computer to visit the internal HTTPS website, so the root certificate should have worked correctly. I try to reboot the computer to restart the TMG. But I still get the error: Error Code: 500 Internal Server Error. Certificate chain was issued by an authority that is not trusted. (-2146893019). When I test the rule I use to publish the internal HTTPS website, I get the same error. But I have imported the root certificate to trusted root certificate store.It makes me crazy. Anyone can help? Thanks in advance. And I am not going to buy a certificate issued by trusted root CA. Thanks.
Answers
- But did you install the root CA cert in the correct trusted root store. A common mistake.
It has to be in the Computer Trusted Root store not in the users store.
And also verify that the name in the cert matches the name used by TMG to access the site in the publishing rule (the To tab)- Marked As Answer byJackson Huang Sunday, October 18, 2009 11:28 AM
But did you install the root CA cert in the correct trusted root store. A common mistake.
It has to be in the Computer Trusted Root store not in the users store.
And also verify that the name in the cert matches the name used by TMG to access the site in the publishing rule (the To tab)
Thank you, Kent, you get the point!
I didn't know there is difference between computer's certificate store and current account's certificate store. I just import the root CA, but didn't know wheter it has been imported to computer's store or current account's store. And I run "certmgr.msc" directly I could only see current account's store, and find my CA root store has been in the root trusted authories, I just couldn't find any error!
Thanks for your hint!
To manage computer's certificate, instead of current account's certificate, one should do as this link write:"http://technet.microsoft.com/en-us/library/cc780916(WS.10).aspx"
Thank you, Kent. This porblem has fretted me for a couple of days. Now you solve it, thank you.- Marked As Answer byJackson Huang Sunday, October 18, 2009 11:28 AM
All Replies
In the server running TMG, I could browse the internal HTTPS website without any warning. I have imported the root CA to the root trusted certification authtority store.
Can anybody try to configure as what I describe? Is it a BUG for the new TMG?
Or in this new TMG, importing a root certificate would involve new steps that is different from ISA 2004 or ISA 2006?
I am evaluating TMG 2010 RC trial enterprise edition under hyper-v environment in Windows 2008 R2 Enterprise Edition.- Hi,
if you open the website with the certificate error, navigate to the certificate properties and check the certificate details if you imported the right RootCA certificate. IMHO it might be only the problem that you imported the wrong certificate.
regards Marc
www.nt-faq.de
www.it-training-grote.de
www.forefront-tmg.de Thanks for your answer, Marc.
I have import the CA root certificate chain to the server running TMG. And I visited the internal HTTPS website, using IE of the server running TMG, and get no warning. No certificate error is found when I navigate to the certificate properties. So I think I didn't import the wrong certificate.
Thanks. I am doubting it is a new bug TMG contains, or there're new extra steps to do in new TMG than in old ISA.- But did you install the root CA cert in the correct trusted root store. A common mistake.
It has to be in the Computer Trusted Root store not in the users store.
And also verify that the name in the cert matches the name used by TMG to access the site in the publishing rule (the To tab)- Marked As Answer byJackson Huang Sunday, October 18, 2009 11:28 AM
But did you install the root CA cert in the correct trusted root store. A common mistake.
It has to be in the Computer Trusted Root store not in the users store.
And also verify that the name in the cert matches the name used by TMG to access the site in the publishing rule (the To tab)
Thank you, Kent, you get the point!
I didn't know there is difference between computer's certificate store and current account's certificate store. I just import the root CA, but didn't know wheter it has been imported to computer's store or current account's store. And I run "certmgr.msc" directly I could only see current account's store, and find my CA root store has been in the root trusted authories, I just couldn't find any error!
Thanks for your hint!
To manage computer's certificate, instead of current account's certificate, one should do as this link write:"http://technet.microsoft.com/en-us/library/cc780916(WS.10).aspx"
Thank you, Kent. This porblem has fretted me for a couple of days. Now you solve it, thank you.- Marked As Answer byJackson Huang Sunday, October 18, 2009 11:28 AM
