Hi everybody,
we use certificate based authentication of clients to allow acces to the core parts of our IIS web app.
This mean, we create our own CA certificate, store it along with the private key in the Personal Certificates of "Local Machine". in "Trusted Root Certification Authorities" we store the same CA just without a private key.
To known clients we issue certificates that match our CA, so IIS allows them to access our app.
But sometimes - and only sometimes - CAPI2 deletes our root CAs and thus breaks access to the IIS. CAPI2 adds entries to event log like "Successful auto delete of third-party root certificate:...".
This we saw on Server 2008 R2s and Server 2012. But not every time and not on every machine.
We know that we could turn off the "Automatic Root Certificates Update Configuration" completely but this cannot be the solution.
So when does CAPI2 regard a CA as untrustworthy? Is there something we have to change in the certificate maybe?
Best regards,
Lars Wittenburg