Search code examples
certificateclient-certificatespki

ADCS Root CA not present in certificate chain PKI

We have a Windows 2019 DC - ADCS PKI. It consists of A Root CA and a Subordinate CA. When the subordinate CA issues a certificate, the Root CA is not present in the chain. If you open the issued certificate and go to the "Certificate Path" tab, the Subordinate CA Certificate is the highest in the chain. If you click on it, it shows "The issuer of this certificate could not be found." as certificate status.

Now I have 2 questions.

  • What can I change in my PKI configuration so that the Root CA will always be present in new issued certificates. (I assume it is due to a misconfiguration).
  • Can I add the Root CA into an already issued certificate?
Solution

  • I thin you're misunderstanding the role of the Root CA certificate here as well as the concept of the certificate chain.

    When your subordinate CA issues a certificate to an end-entity (such as IIS, for example) the only connection the issued certificate has with the subordinate CA is that the name of the CA is embedded within the certificate (the Issuer field) and that this certificate is signed by the CA's private key with this signature also embedded as part of the certificate. The CA certificate is not attached to your certificate in any other way.

    When you double-click on the certificate in Windows, it shows you details of that certificate. When you look at the Certificate Path tab, it simply shows you as much of the chain as it can work out. It will look at the issuer of your certificate and if it has access to the Sub CA certificate from it's certificate store or by downloading it from the repository, it will list it too. That CA certificate also has an issuer (the Root CA in your case) and if it has access to that within its certificate store, it will also list it in the Certificate Path.

    The Root CA is installed in a specific certificate store called the trust-anchor store. This is where you (or your admins) install root certificates that you have verified and have decided to trust. These are used to build certificate chains. That is, if your certificate chains to a root CA certificate in this trust-anchor store, then you are implicitly trusting your certificate. If a certificate doesn't chain to a root CA certificate in your trust-anchor store, then you don't trust that certificate. It is this latter which you're seeing at the moment. That is, you haven't installed the root CA certificate in your trust-anchor store.

    In Windows, the trust-anchor store is shown as a subfolder of your Certificates MMC called Trusted Root Certification Authorities.

    You can manually import your root CA into this trust-anchor store (right-click, All Tasks > Import..., or you can use Active Directory or Group Policy to distribute them to all or some computers.

    Once you have your root CA installed in your trust-anchor store, you should be able to view the whole chain and won't get the The issuer of this certificate could not be found. message.