🟑 Medium   ⏱ 5–30 min  Last verified: 19 May 2026
Affected versions: Windows Server 2022

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Admins receive browser trust warnings or cannot establish secure WAC sessions.

Environment & Reproduction

Happens after certificate renewal where intermediate chain was not installed.

Get-ChildItem Cert:LocalMachineMy
Get-ChildItem Cert:LocalMachineCA

Root Cause Analysis

Gateway certificate exists, but intermediate CA certificate is missing from local trust store.

Quick Triage

Check cert chain status and WAC service binding thumbprint.

Step-by-Step Diagnosis

Inspect certutil chain output and validate EKU/SAN matches gateway URL.

certutil -verify -urlfetch 
Get-Item WSMan:localhostListener*
Illustrative mockup for windows-server-2022 β€” terminal_or_powershell
Certificate chain and thumbprint validation β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Install full chain and rebind gateway certificate.

Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.

Import-Certificate -FilePath C:Tempintermediate.cer -CertStoreLocation Cert:LocalMachineCA
Restart-Service ServerManagementGateway
Illustrative mockup for windows-server-2022 β€” event_or_log_viewer
Gateway TLS trust restoration evidence β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Reissue certificate from internal CA template that includes full chain deployment automation.

Verification & Acceptance Criteria

Browser shows valid chain and WAC login works without warning prompts.

Rollback Plan

Restore previous valid certificate binding and remove faulty chain entries.

Prevention & Hardening

Add renewal runbook checks for SAN, EKU, and complete chain deployment.

Related to CRL distribution failures and TLS protocol mismatch policies.

View all Windows Server 2022 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Windows Admin Center certificate requirements and gateway hardening guidance.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.