Home > error code sec_error_ca_cert_invalid

How to fix the error code sec_error_ca_cert_invalid?

Published on April 13th, 2022

The error code sec_error_ca_cert_invalid indicates that the specified certificate is not valid for the requested purpose. This can happen for a number of reasons, including if the certificate has been revoked, or if it is not signed by a trusted authority.

1. Check that the CA certificate is valid

  1. In CA Central Administration, click Security > Certificate Authorities.
  2. On the View CA List page, verify that the CA certificate is listed.
  3. If the CA certificate is not listed, verify that the certificate has been installed and is valid.
  4. If the CA certificate is listed but is not valid, verify that the CA certificate is installed and has been signed by a trusted authority.
  5. If the CA certificate is listed and is valid, verify that the certificate is installed on the local system and that the certificate is not expired.
  6. If the CA certificate is listed and is valid, verify that the certificate is installed on the remote system and that the certificate is not revoked.

2. Check that the CA certificate is trusted

The steps to check that the CA certificate is trusted are as follows:

  1. Open the Windows Certificate Manager.
  2. In the Windows Certificate Manager, click on the Trusted Root Certification Authorities (CA) link.
  3. On the CA Management tab, check the box next to the CA certificate that you want to check.
  4. Click on the Details button next to the CA certificate.
  5. On the Details tab, look for the Verification Status field and verify that it is set to Verified.
  6. If the Verification Status field is not set to Verified, click on the Actions button and then on the Update button.
  7. In the Update Certificate dialog box, enter the credentials of the local administrator account and click on the OK button.
  8. Close the Windows Certificate Manager.

3. Check that the CA certificate has the correct key usage

  1. Navigate to the "Windows Security" node in the "Control Panel" on the computer on which the CA certificate is installed.
  2. Click on the " certificates " node.
  3. Right-click on the CA certificate and select " Properties ".
  4. Click on the " Key Usage " tab.
  5. Verify that the " Digital Signature " check box is checked and that the " Key Usage " value matches the value in the " Subject " field in the CA certificate. If the check box is not checked, then the " Key Usage " value in the " Subject " field must be changed to match the value in the " Key Usage " field in the CA certificate.

If the answers above didn't work then you should also try:

  1. Check that the CA certificate has the correct extended key usage.
  2. Check that the CA certificate is not expired.
  3. Check that the CA certificate is not revoked.