none
Active Directory root CA certificate missing from Windows 7 Trusted Root Certification Authorities store RRS feed

  • Question

  • We are experiencing this problem with a few workstations and laptops and what we are currently doing is exporting the CA certificate from a workstation that has it in its store and importing it. The problem with this is that the certificate will eventually expire and we will have to re import a new one again. I don't believe it is a group policy issue because other computers in the same OU are not missing the certificate.

    Cany anyone shed light on how to troubleshoot this or how to force (if possible) the workstation to download the CA certificate?

    Thank you in advance.

    Jose

    Friday, February 5, 2016 7:01 PM

Answers

  • Hi,

    As you mentioned, "The certificate that is missing is the root certificate authority cert from our certificate services server." Therefore, we would consider that the certificate is from server.

    If you want to force to import a certificate, you could use the script to force this operation by schedule task. The link below will show you the command about importing the certificate.

    https://technet.microsoft.com/en-us/library/hh848630(v=wps.630).aspx

    After you write the script, then create a basic task for the script which triggered as log on so that the certificate will force importing the certificate when user log on.

    Wish you have a nice day.

    Best Regards,

    Simon


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, February 9, 2016 2:02 AM
    Moderator

All replies

  • Hi,

    Could you please tell us what the certificate regarding to this issue? For the certificate expired issue, you need to request and renew the certificate to fix it.

    If you want to enroll the certificate automatically, please refer the link below to configure the domain policy for it.

    https://technet.microsoft.com/en-us/library/cc731522.aspx

    Hope it will be helpful to you.

    Best Regards,

    Simon 


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Monday, February 8, 2016 2:45 AM
    Moderator
  • Hello Simon,

    The certificate that is missing is the root certificate authority cert from our certificate services server. It is not in the store for some computers. From what I understand group policy auto enrollment is not required for this certificate to be installed to the local Trusted Root Certification Authority store on each computer. This is done automatically. I also tried removing from the domain and rejoining and this did not help.

    I am looking for a way to force the computer to download the certificate if it is possible.

    Monday, February 8, 2016 7:18 PM
  • The certificate is not missing from the server store. The certificate is missing from the Windows 7 store. I never said the problem was on the server side. I stated that we have laptops and workstations that are missing the certificate. I stated this in my opening question.
    Tuesday, February 9, 2016 1:28 AM
  • Hi,

    As you mentioned, "The certificate that is missing is the root certificate authority cert from our certificate services server." Therefore, we would consider that the certificate is from server.

    If you want to force to import a certificate, you could use the script to force this operation by schedule task. The link below will show you the command about importing the certificate.

    https://technet.microsoft.com/en-us/library/hh848630(v=wps.630).aspx

    After you write the script, then create a basic task for the script which triggered as log on so that the certificate will force importing the certificate when user log on.

    Wish you have a nice day.

    Best Regards,

    Simon


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, February 9, 2016 2:02 AM
    Moderator