question

11614763 avatar image
0 Votes"
11614763 asked SamWu-MSFT commented

SSL "A certificate chain couldn't be constructed for the certificate" error

Hello everyone,

We recently renewed our wildcard certificate on our Exchange 2016 Server On Prem.
We've followed a guide that consisted of making an CSR and then completing the certificate request through IIS.
We've installed the certificate and applied it to IIS and SMPT services.

We have errors when connecting on mobile devices. We ran the Microsoft Analyzer and this is the error we get:

"Certificate trust is being validated.
Certificate trust validation failed.
Test Steps

The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.company.com.
A certificate chain couldn't be constructed for the certificate.
Additional Details
The certificate chain has errors. Chain status = NotTimeValid."

The certificate works fine and we are also using it on another websites/devices and its also weird that it shows that the certificate is ok with the new certificate but with some SSL checker tools it still shows the older certificate.

What could be the cause of this ? We've found some things about the root and intermediate certificate but we have already tried to install all kind of certificate types that we got including ca.bundle to make sure that we have the root and intermediate certificates as well.

How can we proceed ? What should be the troubleshoot ?

Obs: We are not very familiar with certificates so any help/guide would be helpful, even though it may seem basic.

Thanks

office-exchange-server-administrationwindows-server-iis
· 5
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@MagnoGandorini-8907

The certificate works fine and we are also using it on another websites/devices and its also weird that it shows that the certificate is ok with the new certificate but with some SSL checker tools it still shows the older certificate.

I think this problem may be caused by multiple certification paths on the server, you can try to delete or disable the certificate from the certification path that you don't want.

0 Votes 0 ·

Hello Sam, thanks for the answer. There were indeed multiple certification paths on the server and we basically removed everything related to this particular CA and installed again. I think this fixed the trusted chain problem because as on the SSL checker tool there's no more erros for the trusted chain. Microsoft Analyzer still gives an untrusted chain problem but it shows this message "The certificate chain has errors. Chain status = NotTimeValid." and the even though the SSL Checker tool says the trusted chain is OK, it says the certificate is expired (I thought this would be fixed by fixing the untrustred chain problem). So basically, the SSL Cert shows its full chain and its valid. But on these tools and on the mobile devices, it still shows the old certificate. We have already eliminated the old certificate from the server and applied the services to this new certificate we installed, is there anything else it needs to be done regarding the certificates ? We already restarted iis services, restarted the server itself and its been a few days so I don't think its a cache problem.

0 Votes 0 ·

@MagnoGandorini-8907 Try the method in this link: certificate-trust-validation-failed.html.

0 Votes 0 ·
Show more comments

0 Answers