Renewal of a certificate via the Network Device Enrollment Service (NDES) fails with error code CERT_E_UNTRUSTEDCA

Assume the following scenario:

• A certificate is requested through the Network Device Enrollment Service (NDES).
• Renewal mode is used here, i.e. the certificate request is signed with an existing certificate.
• The request for the new certificate fails with the following error message:

A certification chain processed correctly, but one of the CA
certificates is not trusted by the policy provider. 0x800b0112 (-2146762478 CERT_E_UNTRUSTEDCA)

The Network Device Enrollment Service (NDES) provides a way for devices that do not have an identifier in Active Directory (for example, network devices such as routers, switches, printers, thin clients, or smartphones and tablets) to request certificates from a certification authority. For a more detailed description, see the article "Network Device Enrollment Service (NDES) Basics„.

The error code is displayed only on the client, and it depends on the SCEP client used. The PSCertificateEnrollment PowerShell Module evaluates the error codes returned by NDES Server, but other clients may not.

On the NDES server itself, only the Event no. 28 logged, which, however, can easily be misleading.

Cause

Do you know TameMyCerts? TameMyCerts is an add-on for the Microsoft certification authority (Active Directory Certificate Services). It extends the function of the certification authority and enables the Application of regulationsto realize the secure automation of certificate issuance. TameMyCerts is unique in the Microsoft ecosystem, has already proven itself in countless companies around the world and is available under a free license. It can downloaded via GitHub and can be used free of charge. Professional maintenance is also offered.

The reason is that for using the renewal mode via NDES, the certification authority issuing the certificates to be renewed, Member of NTAuthCertificates must be. If the certificate authority has been removed from NTAuthCertificates, Renewal mode cannot be used.

Related links:

• Certificate Enrollment for Windows Systems via the Network Device Enrollment Service (NDES) with Windows PowerShell
• Network Device Enrollment Service (NDES) Basics
• Is there a dependency of the Network Devices Registration Service (NDES) with the NTAuthCertificates object?
• Editing the NTAuthCertificates object in Active Directory