Certificate Chain is Invalid / Problem Deploying Lync Server



Sometimes While Deploying Microsoft Lync Server, when it comes to Requesting and Assigning Certificate for the Lync Services It will fail with the following Error (Although it should not fail because your Internal CA root certificate should be installed automatically once the server is joined to the domain):


A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Exception from HRESULT: 0x800B0109)


To solve this Error you will need to Download the Certificate chain from your Certificate Authority , and install it in the Lync FE .

How To Do That Step – by – Step :

  • Open An Internet Explorer at the Lync FE server ( the One You Are Running the Installation Wizard on it).
  • Write the URL of the Certificate Authority Server e.g. ( Http://ca.contoso.com/contoso-ca)
  • Click on “Download a CA Certificate, Certificate Chain, or CRL”

  • In the next Page click on “Download  CA Certificate Chain”


  • Click Save and save the Cert. to the Desktop.
  • now you will need to import, Click Start, Run and type MMC.
  • Press Ctrl+M
  • From the Left Menu Double Click “Certificates”
  • From the Certificate Snap-in Window, Select “Computer Account” and Click Finish
  • Click Ok
  • Now Expand the Certificates Menu and double Click “Trusted Root Certificate Authorities”
  • Right Click Certificates >> All Tasks >> Import


  • In the Import Certificate Wizard Welcome Page Click Next


  • Browse to the Desktop and select the downloaded Certificate ( make sure that file Type is All Files)
  • Click Next
  • Click Next
  • Click Finish

By this You had imported the Certificate and try now to re-request the certificate for Lync Services in the Deployment Wizard and it will NOT fail .


if these Steps weren’t Clear Enough for you , please use the Following Link

Click Here

Author: Lyncdude

A Senior Service Engineer with more than 9 years of experience in Microsoft Exchange and Microsoft Lync Server / Skype for Business. Egyptian guy lives and works in Frankfurt - Germany. what is written in this blog is my own opinion and thoughts, not my employer and does not reflect their opinion

One thought on “Certificate Chain is Invalid / Problem Deploying Lync Server”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: