This CA Root Certificate is not Trusted--happens to users when VPNing and then accessing sites


  • I installed a new PKI solution--one offline standalone Root CA and an Enterprise Issuing CA. These machines run Server 2008 R2. I configured Web Server certs for a number of internal websites that are only available through our internal network (and therefore also by VPN) For all internal users, there are no cert errors, they have automatically enrolled the CA root certificate into the Trusted Root Certification Authorities Store. The certs are fine, and I see that my Root CA has properly identified the site.

    For users that VPN in, they try to access these sites (and these sites are not available externally on the net, just through VPN access to our network) they get the error of:

    This CA Root certificate is not trusted  because it is not in the Trusted Root Certification Authorities Store. When users VPN in, they are on our network, so I'm not seeing what the problem is here. The computers are domain connected. Do I have to get all remote users to just install that cert in the Trusted Root Cert Authorities store? I'm wondering if that's what they did when they set up the old CA years ago. Can't I get the VPN users enrolled automatically?

    Thanks for any help you can give me!

    Thursday, September 16, 2010 6:41 PM


All replies

  • Yes - add the certificate of the Root CA to the Trusted Root CAs Store


    Thursday, September 16, 2010 6:51 PM
  • I do know it works by adding the cert to the Trusted root. We have many remote users. Is there no way for this to be done automatically? Thanks for your response!

    Thursday, September 16, 2010 6:53 PM
  • Follow

    Make sure that your VPN clients process computer-based group policy...


    • Marked as answer by Donia Strand Monday, September 20, 2010 4:24 PM
    Thursday, September 16, 2010 10:21 PM
  • The preferred method is a GPO, as Marcin pointed out. My only question is that if the users who are using VPN are getting the untrusted cert message, it's telling me they are not joined to the domain. Is this true?

    What I've used in such cases, is the SBS 2008 cert installer package. It's an executable that SBS creates along with the SBS server's .cer certificate file to install the .cer file on non-joined machines. The executable is just a cert installer, and it can be used with any .cer file. I would suggest zipping up the installer and the .cer file and email it out. Just unzip the inbstaller and the .cer to the same folder, and run the exe.

    But of course, if this is the way you choose to do it, you will need the installer. If you have an SBS installation, you can use the cert installer and email the zipped up package, and provide instructions to save, unzip and run the exe cert installer.


    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003, Microsoft Certified Trainer, Microsoft MVP - Directory Services. This posting is provided AS-IS with no warranties or guarantees and confers no rights.
    Friday, September 17, 2010 12:07 AM
  • Turns out a few remote computers weren't processing GP correctly. gpupdate /force worked or adding the cert directly got rid of the error too. Thanks for the help!
    Monday, September 20, 2010 4:25 PM
  • VPNing Official Website:
    Saturday, January 08, 2011 1:28 AM
  • Just to be clear: we don't using VPNing as in the post above--it was a VPN (ISA) user issue.
    Monday, January 10, 2011 3:41 PM