External websites end entity certificate signed by internal root Certificate Authority Certificate - Incorrectly


  • Hello,

    I am trying to resolve an issue where multiple client computers in the organisation are using an internally deployed Root CA certificate (before my time and no longer required) to sign the end entity certificate for external websites, for example. All SSL sites appeared to be affected by this.

    However this is not the case as sub domains of sites with issues show the correct cert chain, the below is for

    Removing or untrusting this root ca cert breaks access to these sites.

    I have reset root certs in various ways, removed machines from the domain, applied no GPOs, manually updated CRL and pulled down updated certs with rootsupd.exe.

    It always attempts to use this rouge CA cert to sign the websites cert.

    Any assistance would be much appreciated.

    Wednesday, February 17, 2016 11:10 AM