{"id":1257,"date":"2024-01-05T14:51:50","date_gmt":"2024-01-05T12:51:50","guid":{"rendered":"http:\/\/dety.net.ua\/?p=1257"},"modified":"2024-01-05T14:51:50","modified_gmt":"2024-01-05T12:51:50","slug":"direct-access-there-is-no-valid-certificate-to-be-used-by-ipsec-which-chains-to-the-root-intermediate-certificate-configured-to-be-used-by-ipsec-in-the-directaccess-configurationdirect-access","status":"publish","type":"post","link":"https:\/\/dety.net.ua\/?p=1257","title":{"rendered":"Direct Access + There is no valid certificate to be used by IPsec which chains to the root\/intermediate certificate configured to be used by IPsec in the DirectAccess configurationDirect Access"},"content":{"rendered":"\n<p>We&#8217;ve got an error like: <strong>There is no valid certificate to be used by IPsec which chains to the root\/intermediate certificate configured to be used by IPsec in the DirectAccess configuration<\/strong><\/p>\n\n\n\n<p>and in the Dashboard it shows red IPSEC.<\/p>\n\n\n\n<p>We updated the template and re-issued the certificate but the error was still.<\/p>\n\n\n\n<p>The fix: we have the expired Root certificate for DA-Server.<\/p>\n\n\n\n<p>The steps to fix it:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>PS C:\\WINDOWS\\system32> Get-ChildItem Cert:\\LocalMachine\\Root\n\n\n   PSParentPath: Microsoft.PowerShell.Security\\Certificate::LocalMachine\\Root\n\nThumbprint                                Subject\n----------                                -------\n9777...C20A  CN=company, DC=com\n\nPS C:\\WINDOWS\\system32> get-daserver\n\n\nDAInstallType               : FullInstall\nInternetInterface           : Ethernet\nInternalInterface           : Ethernet\nConnectToAddress            : da.company.com\nSslCertificate              : &#91;Subject]\n                                CN=da.akvelon.com.ua\n\n                              &#91;Issuer]\n                                CN=company, DC=com\n\n                              &#91;Serial Number]\n                                XXXXX\n\n                              &#91;Not Before]\n                                12\/14\/2023 8:08:49 PM\n\n                              &#91;Not After]\n                                12\/14\/2025 8:18:49 PM\n\n                              &#91;Thumbprint]\n                                B4...4EF615E\n\nGpoName                     : company.com\\DirectAccess Server Settings\nInternalIPv6Prefix          : {fd94:35d:fc3a:1::\/64}\nClientIPv6Prefix            : fd94:35d:fc3a:1000::\/64\nUserAuthentication          : UserPasswd\nComputerCertAuthentication  : Enabled\nIPsecRootCertificate        : &#91;Subject]\n                                CN=company, DC=com\n\n                              &#91;Issuer]\n                                CN=company, DC=com\n\n                              &#91;Serial Number]\n                                XXXX\n\n                              &#91;Not Before]\n                                1\/5\/2019 6:06:16 PM\n\n                              &#91;Not After]\n                                <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">1\/5\/2024 6:06:16 PM<\/mark>\n\n                              &#91;Thumbprint]\n                                FB...F2855A\n\nIntermediateRootCertificate : True\nTeredoState                 : Disabled\nIsSingleNic                 : True\nIsNatDeployed               : True\n\nPS C:\\WINDOWS\\system32> $certificate = (Get-ChildItem Cert:\\LocalMachine\\Root\\9777...C20A)\nPS C:\\WINDOWS\\system32> Set-DAServer -IPsecRootCertificate $certificate\n\nPS C:\\WINDOWS\\system32> get-daserver\n\n\nDAInstallType               : FullInstall\nInternetInterface           : Ethernet\nInternalInterface           : Ethernet\nConnectToAddress            : company.com\nSslCertificate              : &#91;Subject]\n                                CN=company.com\n\n                              &#91;Issuer]\n                                CN=company, DC=com\n\n                              &#91;Serial Number]\n                                XXXX\n\n                              &#91;Not Before]\n                                12\/14\/2023 8:08:49 PM\n\n                              &#91;Not After]\n                                12\/14\/2025 8:18:49 PM\n\n                              &#91;Thumbprint]\n                                B438...615E\n\nGpoName                     : company.com\\DirectAccess Server Settings\nInternalIPv6Prefix          : {fd94:35d:fc3a:1::\/64}\nClientIPv6Prefix            : fd94:35d:fc3a:1000::\/64\nUserAuthentication          : UserPasswd\nComputerCertAuthentication  : Enabled\nIPsecRootCertificate        : &#91;Subject]\n                                CN=company, DC=com\n\n                              &#91;Issuer]\n                                CN=company, DC=com\n\n                              &#91;Serial Number]\n                                XXXXX\n\n                              &#91;Not Before]\n                                1\/8\/2022 5:44:23 PM\n\n                              &#91;Not After]\n                                <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-green-cyan-color\">1\/8\/2027 5:44:23 PM<\/mark>\n\n                              &#91;Thumbprint]\n                                977...C20A\n\nIntermediateRootCertificate : False\nTeredoState                 : Disabled\nIsSingleNic                 : True\nIsNatDeployed               : True<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>We&#8217;ve got an error like: There is no valid certificate to be used by IPsec which chains to the root\/intermediate certificate configured to be used by IPsec in the DirectAccess configuration and in the Dashboard it shows red IPSEC. We updated the template and re-issued the certificate but the error was still. The fix: we [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[],"class_list":["post-1257","post","type-post","status-publish","format-standard","hentry","category-windows"],"_links":{"self":[{"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/posts\/1257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dety.net.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1257"}],"version-history":[{"count":1,"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/posts\/1257\/revisions"}],"predecessor-version":[{"id":1258,"href":"https:\/\/dety.net.ua\/index.php?rest_route=\/wp\/v2\/posts\/1257\/revisions\/1258"}],"wp:attachment":[{"href":"https:\/\/dety.net.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dety.net.ua\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dety.net.ua\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}