RE: SEC_E_UNTRUSTED_ROOT

• Previous message: lelteto: "Re: advapi32.dll patch for Win2003 SP1"
• In reply to: John_L_S: "SEC_E_UNTRUSTED_ROOT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 27 May 2005 10:02:08 -0700

I figured out my problem and so in case someone has as similar issue I want
to post the resolution here. As I indicated I had downloaded the root CA
from the certificate I was trying to use to my client machine using the web
interface "certsrv".

After reviewing the certificate information in the registry I decided to use
the Certificates MMC snap-in to get a better view of the certificate
environment on my client machine. I found my trusted root CA via the MMC
interface, but what I finally realized was it is recorded under the user's
environment that I was using when I went through the download procedure via
"certsvr". Of course my client application runs as a service and as such
does not run as the same user, even though the user id I was using has
administrative privileges. So then after creating a MMC Certificate views
not only for the user but also for the service and for the "local computer" I
exported the root CA from the user's certificate environment and imported it
into the "service" enviroment for my application. This did not work either,
I still got the "unstrusted root" error.. So I took the next step and
imported the root CA into the "local machine" MMC certificate view. That
resolved my problem with the "untrusted root". I then ran into another
problem but soon resolved that as well, so that now everything works great.
I think one of the big lessons I learned from all this is that the MMC
interface is a much better means to manage certificates than the web
interface, especially considering my application has nothing to do with web
services.

"John_L_S" wrote:

> I am new to certificates and having difficulty understanding the
> implementation. I adapting a network application to use SSL Just for
> clarification this is not web-based. Just a server and client that exchange
> data over TCP/IP. To test my application I have set up a Windows 2000 server
> with a stand-alone CA and using certutil I created a certificate for my
> application. I have got my application to work when both the server
> application and client application are running on the same Windows server. I
> am now trying to run my client on another Windows server (just in case it is
> relevant this one has Windows 2003/SP1). When my client connects to my
> server on the first Windows server, the initial exchange in each direction
> goes fine, but when my client tries to "InitializeSecurityContext" on the
> second iteration it receives a SEC_E_UNTRUSTED_ROOT error. After searching
> MS doc/MSDN and newgroups, it seemed I needed to import from my stand-alone
> CA. So using the web-based interface "http://>/certsrv" I firt
> tried to "download" the path, but same result. I next downloaded the CA
> certificate and then "imported" it and still the same result. Can someone
> help me out? What am I missing? Also, FYI, I am using the "stand-alone" for
> what I think is a simple and controllable test bed for me to familiarize
> myself with certificate handling as it applies to my SSL work and to shake
> out the bugs in my application. Thanks for any comments.

• Previous message: lelteto: "Re: advapi32.dll patch for Win2003 SP1"
• In reply to: John_L_S: "SEC_E_UNTRUSTED_ROOT"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]