I was asked to look at a Customer’s Exchange 2010 ActiveSync publishing rule in TMG 2010, as the ActiveSync test in the Microsoft Exchange Connectivity test site was failing with the error “The Certificate Chain Did Not End In A Trusted Root”.
OWA publishing was working fine with the same SAN certificate from Digicert. I quickly ran the Digicert “Certificate Tester” tool, which I had written about in my previous article. Digicert threw an error as well, but this time it was much more clear as to which certificate was causing the issue. The error was “the server is not sending all required intermediate certificates”.
The problem is that the certificate doesn’t have all required certificates (root and intermediate) in the chain. There are two ways to solve this issue. If you would have used the “Export Certificate” option from your CAS server and imported it into TMG, it is likely that it doesn’t have all the required certificates. To rectify the issue, export the certificate from the “Certificates snap-in (Local Computer)”, selecting the option “Include all certificates in the certification path, if possible”.
Another easier fix is to use the DigiCertUtil tool, which I had written about in my pervious article. All certificates available in your machine will be listed while running the tool. Click on the “Repair” button to fix the certificate chain.
Important point to note is that you HAVE to restart the server for the changes to take effect. Even though, you see the full certificate chain in the certificate after the repair, the server has to be restarted.