Recently we had to renew the Root CA Certificate on a domain controller ( SBS ) due to it expiring. We then renewed our Webserver Certificates around this so they would have a longer renewal date.

Some users in the morning on login when trying to open webpages where getting the error

This certificate cannot be verified up to a trusted certification authority

The certificate should be downloaded every 8 hours to clients on the domains, but you can force this sync using

certutil -pulse