π ~1 min read
Table of contents
Symptom & Impact
Admins receive browser trust warnings or cannot establish secure WAC sessions.
Environment & Reproduction
Happens after certificate renewal where intermediate chain was not installed.
Get-ChildItem Cert:LocalMachineMy
Get-ChildItem Cert:LocalMachineCARoot Cause Analysis
Gateway certificate exists, but intermediate CA certificate is missing from local trust store.
Quick Triage
Check cert chain status and WAC service binding thumbprint.
Step-by-Step Diagnosis
Inspect certutil chain output and validate EKU/SAN matches gateway URL.
certutil -verify -urlfetch
Get-Item WSMan:localhostListener*
Solution – Primary Fix
Install full chain and rebind gateway certificate.
Still having issues? Our IT Solutions & Services team can diagnose and resolve this for you. Get in touch for a free consultation.
Import-Certificate -FilePath C:Tempintermediate.cer -CertStoreLocation Cert:LocalMachineCA
Restart-Service ServerManagementGateway
Solution – Alternative Approaches
Reissue certificate from internal CA template that includes full chain deployment automation.
Verification & Acceptance Criteria
Browser shows valid chain and WAC login works without warning prompts.
Rollback Plan
Restore previous valid certificate binding and remove faulty chain entries.
Prevention & Hardening
Add renewal runbook checks for SAN, EKU, and complete chain deployment.
Related Errors & Cross-Refs
Related to CRL distribution failures and TLS protocol mismatch policies.
View all Windows Server 2022 tutorials on the Tutorials Hub β
Browse all common problems & solutions on the Tutorials Hub.
References & Further Reading
Microsoft Learn: Windows Admin Center certificate requirements and gateway hardening guidance.
Need Expert Help?
If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β we respond within one business day.
