It all started when I found an error on the certificate I was trying to import for SQL Server Reporting Services.
On the general tab the error is "A system-level error occurred while verifying trust.".
On the Certification Path tab, the root certificate is not shown in the chain like it should. There is an error at the bottom: "This certificate has an invalid digital signature".
All certificates issued from AD CS have these same errors when viewing them in the console on nearly all domain computers. Machines running an older OS, such as Vista and Windows 7, do not show any errors.
I imported one of the certificates along with the root certificate on to a non-domain joined PC (Windows 10 Home). There were no errors.
It seems I could safely ignore the errors as all applications continue to work.
I also found that the signing certificate for the Online Responder service went bad as it did not automatically renew. I had to enable a setting on the CA that allows renewal for requests which include an Authority Key Identifier.
I recreated the Revocation Configuration for the Online Responder and all tests and status messages show that it's now working, yet it has not resolved the issue with the errors on the certificates.
On a workstation I found heaps of events like this:
Possible detection of CVE: [CVE-2020-158] cert chain exceeded limit
Additional Information: Cert: <DT-12-17782.hestnet.com> sha1: 285A7CE1B0DFBC9EA886DB277E349EA04BE39B4F IssuerDepthCount: 13 Limit: 12
This Event is generated when an attempt to exploit a known vulnerability ([CVE-2020-158] cert chain exceeded limit) is detected.
This Event is raised by a User mode process.
I searched the web for the CVE ID but it doesn't appear to be a valid CVE ID. What's even more bizarre, is the fact that it reports the issuer depth count to be 13. I don't have any intermediate CA's! Only the root CA, and then all end-entity certs are issued from there. I do have almost a dozen cross-ca certificates but from my limited understanding of PKI, they should not have any impact on the chain length.