There was a problem verifying the certificate from the Server

There was a problem verifying the certificate from the Server 1There was a problem verifying the certificate from the Server

There was a problem verifying the certificate from the Server 2

If you find this error on your Skype for Business infrastructure, I recommend you to check how the certificates are distributed on your local computers.

Root Cause Details:

When distributing the root CA certificate using GPO, the contents of HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates will be deleted and written again. This deletion is by design, as this is how the GP applies registry changes.

Changes in the area of the Windows registry reserved for root CA certificates will notify the Crypto API component of the client application, and the application will start synchronizing with the registry changes. This synchronization is how the applications are kept up-to-date and made aware of the most current list of valid root CA certificates.

In some cases, such as scenarios when large number of root CA certificate are distributed via GPO (similar with many Firewall or Applocker policies), Group Policy processing will take longer, and the application might not receive the complete list of trusted root CA certificates. 

Because of this, end entity certificates that chain to those missing root CA certificates will be rendered as untrusted, and various certificate-related problem will start to occur. This problem is intermittent and can be temporarily resolved by reinforcing GPO processing or reboot.

If the root CA certificate is published using alternative methods, the problems might not occur, due to the afore-mentioned situation.


Microsoft is aware of this issue and is working to improve the certificate and Crypto API experience in a future version of Windows.

To address this issue, avoid distributing the root CA certificate using GPO. This might include targeting the registry location (such as HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates) to deliver the root CA certificate to the client.

When storing root CA certificate in a different, physical, root CA certificate store, the problem should be resolved.

Examples of alternative methods for publishing root CA certificates

Method 1: Use the command line tool certutil and root the CA certificate stored in the file rootca.cer:

certutil -addstore root c:\tmp\rootca.cer


This command can be executed only by local admins and it will affect only single machine

Method 2:  Start certlm.msc (the certificates management console for local machine) and import the root CA certificate in the Registry physical store.

There was a problem verifying the certificate from the Server 3


The certlm.msc console can be started only by local administrators. Also, the import will affect only single machine.

Method 3: Use GPO preferences to publish the root CA certificate as described in Group Policy Preferences.

To publish the root CA certificate:

  1. Manually import the root certificate on a machine using the “certutil -addstore root c:\tmp\rootca.cer” command (see Method 1).
  2. Open GPMC.msc on that machine where you have imported the root certificate.
  3. Edit the GPO which you would like to use to deploy the registry settings in the following way:
    1. Edit the Computer Configuration | Group Policy Preferences | Windows Settings | Registry | .. path to the root certificate.
    2. Add the root certificate to the GPO as presented in the following screenshot.
  4. Deploy the new GPO to the machines where the root/intermediate certificate needs to be published.
There was a problem verifying the certificate from the Server 4

Any other method, tool, or client management solution that distributes root CA certificates by writing them into the location HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates will work.

También te podría gustar...

Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cómo se procesan los datos de tus comentarios.