DigiCert High Assurance EV Root CA FAIL

This weekend some of my team members (Chris Lehr) at ExtraTeam experienced an issue with Lync services not starting at random which was caused by an issue with DigiCert’s SSL  cert chain.  I then personally experienced the same issue this morning at another location.

Digicert posted a blog saying this was only impacting Mac OS X Systems however I had this issue in a Windows Server 2008 R2 environment.

Symptoms Of The Issue:

Source: LS Protocol Stack
Event ID: 14397
A configured certificate could not be loaded from store. The serial number is attached for reference.
Extended Error Code: 0x800B0110 (The certificate is not valid for the requested usage.).

Source: LS Server
Event ID: 12303
The protocol stack reported a critical error: code 800B0110 (Configuration failure prevented the server from starting up). The service has to stop.

Source: LS Protocol Stack
Event ID: 14590
Unable to use the certificate configured for the internal edge of the Access Edge Server.
Error 0x800B0110 (The certificate is not valid for the requested usage.).
Cause: The certificate may have been deleted or may be invalid, or permissions are not set correctly.
Resolution:
Ensure that a valid certificate is present in the local computer certificate store. Also ensure that the server has sufficient privileges to access the store.

If you browse the certification path you’ll note that DigiCert High Assurance EV Root CA has a warning message of, “This certificate has been deactivated.

digicertfail1

 

Resolution:

Download the latest version of DigiCert Util and save it local to the server/machine having the issue.

Highlight the certificate having the issue and click “Action Required“.  Hit Repair/Fix/OK.

digicertfail2a

Ensure you’re no longer seeing the Action Required alert in the main window afterwards.  I was prompted a reboot may be required however I did not have to.

digicertfail3a

Take another look at the certification path to validate the issue appears resolved.

digicertfail4a

Now for some Monday morning common sense, validate the Lync services can now be started successfully.

digicertfail5

Leave a Reply