Group policy removes certificate from personal store

Question

Group policy removes certificate from personal store

We have a Code Signing certificate that is issued by our enterprise CA.
We are using a group policy to deploy this certificate to the Trusted Publishers store on our domain computers.

This works as it should: The Root cert is added to Trusted Root Certification Authorities, and the code signing certificate is added to Trusted Publishers.

On our development computers we need this certificate (including it's private key) to be in the personal store of the developer as well. Manually importing the *.pfx-file works as expected.

However, after running gpupdate /force the certificate is removed from the personal store.
I don't know why this happens?

Screenshots of the GPO settings:

Update:
As CryptoGuy suggested in the comments, I ran certutil -verify -urlfetch certtoverify.cer. (I've X'ed out some personal information, and the output is in German, but I hope you can get the info you need):

Aussteller:
    CN=XXXX
    DC=XXXX
    DC=XXXX
Antragsteller:
    CN=XXXX
    OU=XXXX
    OU=XXXX
    OU=XXXX
    DC=XXXX
    DC=XXXX
Zertifikatseriennummer: 3f3e6f53000100000079

dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwRevocationFreshnessTime: 21 Hours, 30 Minutes, 24 Seconds

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwRevocationFreshnessTime: 21 Hours, 30 Minutes, 24 Seconds

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=0
  Issuer: CN=XXXX, DC=XXXX, DC=XXXX
  NotBefore: 01.09.2014 10:18
  NotAfter: 01.09.2015 10:18
  Subject: CN=XXXX, OU=XXXX, OU=XXXX, OU=XXXX, DC=XXXX, DC=XXXX
  Serial: 3f3e6f53000100000079
  SubjectAltName: Anderer Name:Prinzipalname=XXXX@XXXX.XX
  Template: CodeSigning
  07 6c 8c ea d7 42 8e 63 95 12 c3 36 47 de f1 77 a4 a6 56 b9
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Zertifikat abrufen  ----------------
  Falscher Aussteller "Zertifikat (0)" Zeit: 0
    [0.0] ldap:///CN=XXXX,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXXX,DC=XX?cACertificate?base?objectClass=certificationAuthority

  Abgelaufen "Zertifikat (1)" Zeit: 0
    [0.1] ldap:///CN=XXXX,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXXX,DC=XX?cACertificate?base?objectClass=certificationAuthority

  Überprüft "Zertifikat (2)" Zeit: 0
    [0.2] ldap:///CN=XXXX,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXXX,DC=XX?cACertificate?base?objectClass=certificationAuthority

  Überprüft "Zertifikat (2)" Zeit: 0
    [1.0] http://svr-XXXX.XXXX.XX/CertEnroll/svr-XXXX.XXXX.XX_XXXX(1).crt

  ----------------  Zertifikat abrufen  ----------------
  Überprüft "Basissperrliste (085e)" Zeit: 0
    [0.0] ldap:///CN=XXXX,CN=svr-XXXX,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXXX,DC=XX?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Überprüft "Deltasperrliste (085e)" Zeit: 0
    [0.0.0] ldap:///CN=XXXX,CN=svr-XXXX,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXXX,DC=XX?deltaRevocationList?base?objectClass=cRLDistributionPoint

  Überprüft "Deltasperrliste (085e)" Zeit: 0
    [0.0.1] http://svr-XXXX.XXXX.XX/CertEnroll/XXXX+.crl

  Überprüft "Basissperrliste (085e)" Zeit: 0
    [1.0] http://svr-XXXX.XXXX.XX/CertEnroll/XXXX.crl

  Überprüft "Deltasperrliste (085e)" Zeit: 0
    [1.0.0] ldap:///CN=XXXX,CN=svr-XXXX,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXXX,DC=XX?deltaRevocationList?base?objectClass=cRLDistributionPoint

  Überprüft "Deltasperrliste (085e)" Zeit: 0
    [1.0.1] http://svr-XXXX.XXXX.XX/CertEnroll/XXXX+.crl

  ----------------  Basissperrliste veraltet  ----------------
  OK "Deltasperrliste (085f)" Zeit: 0
    [0.0] ldap:///CN=XXXX,CN=svr-XXXX,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXXX,DC=XX?deltaRevocationList?base?objectClass=cRLDistributionPoint

  OK "Deltasperrliste (085f)" Zeit: 0
    [1.0] http://svr-XXXX.XXXX.XX/CertEnroll/XXXX+.crl

  ----------------  Zertifikat-OCSP  ----------------
  Keine URLs "Keine" Zeit: 0
  --------------------------------
    CRL 085e:
    Issuer: CN=XXXX, DC=XXXX, DC=XX
    6d 8c da 8f 04 15 d8 27 56 aa bb 96 fc 61 5a 80 6f 5b 5a e9
    Delta CRL 085f:
    Issuer: CN=XXXX, DC=XXXX, DC=XX
    e7 7e a4 34 b8 35 77 93 d2 96 0a af d3 ff c2 a0 57 51 36 99
  Application[0] = 1.3.6.1.5.5.7.3.3 Codesignatur

CertContext[0][1]: dwInfoStatus=10c dwErrorStatus=0
  Issuer: CN=XXXX, DC=XXXX, DC=XX
  NotBefore: 11.09.2009 13:22
  NotAfter: 01.09.2019 10:11
  Subject: CN=XXXX, DC=XXXX, DC=XX
  Serial: 4a94f0d7dac38da64c2ae9076c54ae87
  Template: CA
  6b 5d fd 05 60 c5 25 c4 0a 66 58 5b 77 4a 84 ce 07 f0 46 54
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Zertifikat abrufen  ----------------
  Keine URLs "Keine" Zeit: 0
  ----------------  Zertifikat abrufen  ----------------
  Abgelaufen "Basissperrliste (03cd)" Zeit: 0
    [0.0] ldap:///CN=XXXX,CN=svr-YY01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXXX,DC=XX?certificateRevocationList?base?objectClass=cRLDistributionPoint

  Abgelaufen "Deltasperrliste (03cd)" Zeit: 0
    [0.0.0] ldap:///CN=XXXX,CN=svr-YY01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=XXXX,DC=XX?deltaRevocationList?base?objectClass=cRLDistributionPoint

  Gescheitert "CDP" Zeit: 0
    Fehler beim Abrufen der URL: Fehler 0x801901f7 (-2145844745)
    [0.1.0] http://svr-YY01.XXXX.XX/CertEnroll/XXXX+.crl

  Gescheitert "CDP" Zeit: 0
    Fehler beim Abrufen der URL: Fehler 0x801901f7 (-2145844745)
    http://svr-YY01.XXXX.XX/CertEnroll/XXXX.crl

  ----------------  Zertifikat-OCSP  ----------------
  Keine URLs "Keine" Zeit: 0
  --------------------------------

Exclude leaf cert:
  4f 7d 53 0f 4f 73 08 3f e7 ba 64 c3 50 ee 71 9c bb c8 90 41
Full chain:
  43 56 70 7e c5 d6 14 ae 97 06 72 44 98 1c 7c 3f fe 56 c1 eb
------------------------------------
Verfizierte Ausstellungsrichtlinien: Kein
Verfizierte Anwendungsrichtlinien:
    1.3.6.1.5.5.7.3.3 Codesignatur
Sperrstatussüberprüfung des untergeordneten Zertifikats erfolgreich abgeschlossen.
CertUtil: -verify-Befehl wurde erfolgreich ausgeführt.

group-policy

certificate

asked on Server Fault Aug 4, 2015 by

powerzone3000 • edited Aug 5, 2015 by

powerzone3000

1 Answer

A few days ago we issued a new Certificate because the old one expired, and it seems like the problem is solved.

There must have been something wrong with the original certificate.

answered on Server Fault Sep 1, 2015 by

powerzone3000

User contributions licensed under CC BY-SA 3.0