Windows 2012 证书不被信任的问题 尤其是安装Skype for business 2015 ,涉及到的问题,白板和投票,以及PPT无法共享
Windows 2012引入了更严格的证书存储验证.根据 KB 2795828: Lync Server 2013 Front-End service cannot start in Windows Server 2012,受信任的根证书颁发机构(即根)存储只能具有自签名的证书.如果该存储包含非自签名证书,IIS下的客户端证书身份验证将返回403.16错误代码.
要解决此问题,您必须从根存储中删除所有非自签名证书.此PowerShell命令将标识非自签名证书:
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject}
在我的情况下,我们将这些非自签名证书转移到中级认证机构(即CA)存储中:
Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Move-Item -Destination Cert:\LocalMachine\CA
根据KB 2801679: SSL/TLS communication problems after you install KB 931125,您也可能拥有太多的可信证书.
[T]he maximum size of the trusted certificate authorities list that the Schannel security package supports is 16 kilobytes (KB). Having a large amount of Third-party Root Certication Authorities will go over the 16k limit, and you will experience TLS/SSL communication problems.
在这种情况下的解决方案是删除您不信任的任何证书颁发机构证书,或to stop sending the list of trusted certifiation authorities by setting the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\@SendTrustedIssuerList registry entry to 0(默认值,如果不存在,则为1).