What are the troubleshooting steps when Platform or msi installer throws an error about invalid certificates?

1. Installer is using the Verify() method on certificates. https://docs.microsoft.com/en-us/dotnet/api/system.security.cryptography.x509certificates.x509certificate2.verify?view=netcore-3.1

2. To check if this method returns true or false leading to installer trusting/distrusting domain cert, run in powershell following command:

gci Cert:\LocalMachine\My\ |? { $_.Subject -like "*your_cert_subject_FQDN*" } | select -Property Subject,Thumbprint

Example:

3. Verify certificate by copy/pasting the thumbprint like above into a new powershell script, then run it:

$chain = New-Object -TypeName System.Security.Cryptography.X509Certificates.X509Chain
 $cert = gci Cert:\LocalMachine\My\your_thumbprint
 $chain.Build($cert)
 $chain.ChainElements |% { Write-host "$($_.Certificate.Subject) ---- valid: $($_.Certificate.Verify())" }

Example:

4. If any of the above results returns False, it means that the machine cannot validate in chain the certificate. This may be attributed to machine connection to the CA machine, firewall rules blocking access etc.

Additional steps:
5. In powershell run a command like :

$chain.ChainElements |% { Write-host "$($_.Certificate.Subject) ---- valid: $($_.ChainElementStatus[0].StatusInformation)" }

If result received contains "--- valid: The revocation function was unable to check revocation for the certificate."
then the problem might be something related with this article .