none
0x80090325 – The Certificate chain was issued by an authority that is not trusted.

    Question

  • Dear,

     

    I published our Exchange 2010 OWA on TMG 2012 and have an issue with the SAN or Root Certificate.

    When I connect from a workstation directly to the CAS, It all works, the certificates are OK.

     

    I installed a domain integrated enterprise Root CA.

    I distributed the Root Certificate to all computers through GPO. The TMG server received this Certificate.
    I imported the Exchange CAS SAN certificate (with private key) into the TMG server.

    The public name is the first FQDN on the SAN certificate.

    When I open the CAS SAN Certificate  on the TMG server, I can see that the certificate chain is ok.

    But when I run the “test rule” in TMG I get the following error: 0x80090325 – The Certificate chain was issued by an authority that is not trusted.

     

    Is there something else that I should do on the TMG to be able to trust my own, domain integrated CA???

    It seems to be a TMG related issue.

     

    Thanks a lot in advance,

    Regards,

    Peter


    Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be
    Monday, November 14, 2011 12:39 PM

Answers

  • Thanks Marc.

    The root certificate was in the correct store before I removed the GPO and it was still there after the remove and the gpupdate.
    I found the root cause of my problem, it was as stupid as simple: a typo error in the url on my SAN certificate.

    Thanks anyway for the support.

    Regards,
    Peter

     


    Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be
    Monday, November 14, 2011 10:46 PM

All replies

  • Hi,

    if you are using a domain integrated enterprise Root CA you doesn't have to distribute the RootCA certificate with Group policies manually. This is done automatically. So please remove the GPO which distributes the certificate and run a GPUPDATE /force on the TMG Server. If the GPO has been applied sucessfully you must see the RootCA certificate in the trusted RootCA certificate store for the local computer and if you try to open the internal OWA website from the TMG Server you shouldn't get a certiciate error that the certificate is not trusted - please check this


    regards Marc Grote aka Jens Baier - www.it-training-grote.de - www.forefront-tmg.de - www.nt-faq.de
    Monday, November 14, 2011 5:47 PM
  • Thanks Marc.

    The root certificate was in the correct store before I removed the GPO and it was still there after the remove and the gpupdate.
    I found the root cause of my problem, it was as stupid as simple: a typo error in the url on my SAN certificate.

    Thanks anyway for the support.

    Regards,
    Peter

     


    Peter Van Keymeulen, IT Infrastructure Solution Architect, www.edeconsulting.be
    Monday, November 14, 2011 10:46 PM