Over 1 million tech questions and answers.

Certificate Authority Subordinate MiTMs Their Network

Q: Certificate Authority Subordinate MiTMs Their Network

CNNIC, a certificate authority for the Chinese Government, issued a trusted subordinate (intermediary) certificate to MCS Holdings. This allowed MCS Holding to issue and use a SSL/TLS certificate for any website, but it was expected it would only be used on websites they owned. Instead, it was used internally (and stored in plaintext) to perform a man in the middle attack against all traffic within their company. 
 

 
On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC. 
CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.
We promptly alerted CNNIC and other major browsers about the incident, and we blocked the MCS Holdings certificate in Chrome with a CRLSet push. CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in-the-middle proxy. These devices intercept secure connections by masquerading as the intended destination and are sometimes used by companies to intercept their employees’ secure traffic for monitoring or legal reasons. The employees’ computers normally have to be configured to trust a proxy for it to be able to do this. However, in this case, the presumed proxy was given the full authority of a public CA, which is a serious breach of the CA system. This situation is similar to a failure by ANSSI in 2013.
This explanation is congruent with the facts. However, CNNIC still delegated their substantial authority to an organization that was not fit to hold it. 
Chrome users do not need to take any action to be protected by the CRLSet updates. We have no indication of abuse and we are not suggesting that people change passwords or take other action. At this time we are considering what further actions are appropriate.
 

 
http://googleonlinesecurity.blogspot.com/2015/03/maintaining-digital-certificate-security.html

Read other answers
RELEVANCY SCORE 200
Preferred Solution: Certificate Authority Subordinate MiTMs Their Network

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 82.8

Hello,

I am trying to resolve an issue where multiple client computers in the organisation are using an internally deployed Root CA certificate (before my time and no longer required) to sign the end entity certificate for external websites, google.co.uk
for example. All SSL sites appeared to be affected by this.




However this is not the case as sub domains of sites with issues show the correct cert chain, the below is for mail.google.com




Removing or untrusting this root ca cert breaks access to these sites.

I have reset root certs in various ways, removed machines from the domain, applied no GPOs, manually updated CRL and pulled down updated certs with rootsupd.exe.
It always attempts to use this rouge CA cert to sign the websites cert.

Any assistance would be much appreciated.

Read other answers
RELEVANCY SCORE 82

Hi,
I am trying to install CA root certificate on Windows 7, IE 9.
Encounter error: "Untrusted Certificate".  "This certificate cannot be verified up to a trusted certificate authority."
I have tried to install the certificate to Trusted Root Certificate Authorities->local computer and import was successful. BUT on IE->Internet Options->Certificate->Trusted Root Certificate Authorities, I am unable to find this root CA on
the list.
On mmc->Certificates->Trusted Root Certificate Authorities->certificates, I am able to view this root CA.
I then restarted the IE and view the ssl site again but failed too, "Untrusted Certificate".
Anyone, any idea ?
Regards,
Eye Gee

A:Unable to Install Root CA Certificate - Certificate cannot be verified up to a trusted certificate authority.

May the following workarounds work for you:
Workaround 1:
Modify the Windows settings to allow the Update Root Certificate feature to update the root certificates automatically. For details, see the following Microsoft TechNet article:
Certificate Support and Resulting Internet Communication in Windows Server 2008
http://technet.microsoft.com/en-us/library/cc771121(WS.10).aspx
Workaround 2?
If the Update Root Certificate feature cannot automatically update the root certificates, you may contact the website vender to see if there is a hotfix can fix the issue.

Read other 8 answers
RELEVANCY SCORE 74.4

I have Windows 7 client and Cisco router is configured as Certificate Authority. Cisco calls it IOS CA. How can I do certificate enrollment of Windows 7 client with my Cisco IOS Certificate Authority?

Read other answers
RELEVANCY SCORE 74.4

We have local Certificate Authority server Windows 2012 R2. There is a code signing certificate that was issued by
the local  CA and is expiring  in 3 weeks. How can we renew the certificate?



Thanks

Read other answers
RELEVANCY SCORE 65.2

Hi all !

Could somebody please help me out and explain following 4 questions

-> What are the main difference between a a self-sign certification implementation and a PKI?
-> What is the difference in the trust model between X500 certificates and openPGP keys?
-> What is the main difference between file encryption and rights management
-> What are the steps followed within an RM Solution, when a file is protected and authorized user attempts access?

Would be really nice to have a short explanation, not like the one I have myself of a full A4 page

Thanks to all in advance
 

A:Certificate authority questions

Sorry but we don't do homework so for that reason, together with the fact that you've posted this on at least two other sites, I'm closing this thread.
 

Read other 1 answers
RELEVANCY SCORE 63.2

Hello!

I have enterprise Certificate authority working at Windows Server 2008r2. All today available updates from Microsoft are installed on the server. 

Through the web interface in the browser IE11 is impossible to request user certificate - when you press "submit" button for certificate request, nothing happens.

At another PC with IE9 all works fine - i can submit request and recive certificate from CA

I installed all available updates for Windows and IE11, but its not resolve problem. I tryed to add CA to Trusted Sites, to set IE11 security settings to minimal level - it not helps 

I found article which describes this problem https://support.microsoft.com/en-us/kb/2988411 , but I have all necessary updates are installed on IE11, including those referred to in article.

How to solve this problem? Use console to request the certificate does not offer, i must be able to request it via the web interface

Read other answers
RELEVANCY SCORE 63.2

Researcher Exposes Flaws in Certificate Authority Web Applications.

SSL certificate validation process easy "to game," he says

-- Tom
 

Read other answers
RELEVANCY SCORE 51.2

When I go to start>run>services.msc, I click on some of the items 'log on'. Most are under 'local' but about ten of them are listed under 'NT AUTHORITY\network services'. They look to be password protected.

I don't have a clue what this means. Could this have happened when a D Link Router was installed? Can the settings be changed to 'local' like the rest? We couldn't get the router to work so we gave up.

I have only one account running under administrator.

XP home sp2

A:NT AUTHORITY\network service

Which are nt authorityu?

Read other 1 answers
RELEVANCY SCORE 50.4

Hey there, I was cleaning a friend?s XP Pro SP3 PC and viewed the hidden files in the documents & settings to find out that there are multiple duplicates of LocalService.NT AUTHORITY and NetworkService.NT AUTHORITY (about 4 of each). I have looked in the registry under HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList and found that LocalService.NT AUTHORITY.003 and NetworkService.NT AUTHORITY.003 are currently being used. Based on that, how should I go about deleting the other duplicates or is that a bad idea? Hope this isn't too confusing This user currently connects to a domain for work and has only one user profile on the PC besides the admin account.

Read other answers
RELEVANCY SCORE 47.2

Hi guys,

I'm having a problem connecting my windows phone to an enterprise wifi network. The network uses peap protocol. As windows phones don't bypass certificate validation, I'm not able to connect to that network. The only solution for me is to get the certificate that the server uses and install it on my phone.

My question is : How to find the certificate which my college network uses by connecting it to my laptop? Some said that ticking mark beside 'Validate server certificate' gives success but unfortunately my laptop is not connecting if I'm removing the tick mark.

So is there any way to find the certificate which my college wifi network uses?

PS : I can't contact the IT department for this for some reasons so, any answers other than this are greatly appreciated.
 

A:How to get the certificate of a wireless network?

Sorry, but you're going to have to contact the IT department.
 

Read other 2 answers
RELEVANCY SCORE 47.2

I have a wireless access point (Netgear) which until recently I have been able to access by typing its IP address.  Now I am receiving (with IE Safari Chrome and FF) an error message "There is a problem with this website?s security certificate." 
I have loaded the snap in and selected "computer" and entered the IP address of the device but that is as far as I get.  It doesn't appear to be able to read the certificate store on the device although I can see the certificate on one browser
(in IE) but see no way to refresh it which is why I tried the snap-on.  Maybe the issue is with the modern browsers?  As I am not accessing an exterior site I think I ought to be able to insert an exception but I have not so far been able to find
anywhere.  I have tried in Internet Options Security and added both http://nnn.nnn.nnn and https://nnn.nnn.nnn but that has no effect.  ANy ideas, suggestions, guidance please?  Thanks jean

Read other answers
RELEVANCY SCORE 46.8

I have taken under consideration the possibility of biased opinions on this matter, but I still want to know peoples ideas on the best and most comprehensive online course, for the certificated network security class. I am generally new to Network Security, which is why i am looking for the best beginning course to network security. i have yet to implement the Linux OS system, or any network security software. i know what a surprise. however i am looking for an online certificate class that will help me to first understand what kind of UNIX/Linux OS system would be best suited for, and which type of software programs i would need for a generalized best defense for computer networks.

like i have said beforehand, i am rather new to the whole network security systems programs and general network security anything. i am looking into taking a online course due to the fact my wife is active duty military. i have the privilege of staying at home and taking care of my son, soon to be 2 sons. i need a beginners type course that will help me to understand network securities, as well as the computer language, possibly even scripting.

if anyone has a favorite type of online college or favorite certified website that issues a online certificate, please feel free to reply to this post. i would very much like any class referenced to beginning network security. i am well known around my friend circles to be quite a great google researcher, however i have found so many different courses t... Read more

A:Best online course for Network Security Certificate

Hi bulletbikeskye69,

Have a look at the thread I posted in the Tips and Tricks forum:
Tip: Want to become a networking security analyst?.

Hint: start first by reading post #7 in that thread, and you might be able to lookup things like protocols, e.g. TCP in Wikipedia here - Note: the other protocols in the right-hand panel, particularly to which layer each protocol belongs.

Note: The link in post #7 is not stale. It requires you to visit the homepage of SANS:
http://isc.sans.org , then click on the presentations link at the top, then click on the link to the so-named article, First Things First. An Introduction to Network Security, under Older Presentations on that web page - then and only then can you get to the article in that way.

-- Tom
 

Read other 1 answers
RELEVANCY SCORE 46.8

Hi i have been trying now for the best part of about 3 days to get this blasted thing working

i am trying to set up a network location, but when i add in my web address it pops up with a "Select Certificate" box, theres nothing there 2 chose (its blank) and the ok button is greyed out, now there are NO results in google when it i try to find a cure for this problem so i think this is the first time anyone has ever had this problem

i have tried using blutgrey (a program to un-grey buttons) but it crashes and i have had a look at modifying the registry but im not sure what im doing

how do i force add certificates so i can continue my work?
 

A:Add Network location (but certificate box is blank!)

Read other 12 answers
RELEVANCY SCORE 46.8

I'm looking for help and tips on setting up an NPS for wireless authentication with a certificate. I tried implementing this once and the CA got applied to all services that relied on certificates and it was very disruptive. 
Is it better to use a self signed cert or how do I prevent the CA from affecting other services that rely on their own certificates. 
I would appreciate any feedback on this?

Thanks

Read other answers
RELEVANCY SCORE 46.8

I received the following error message: "Windows unable to find a certificate to log you onto the network <NetworkName>

I am attempting to get an aunt's laptop connected to my network to troubleshoot a few problems with it and when attempting to connect to my home network I received the above error. In the network list I see my network just fine but its saying "Validating identity" next to the network name.

Her laptop:

HP Pavilion dv6000
Windows XP

I have already updated the wireless driver for the laptop, at first thinking that was the problem. My router (Netgear WNR 3500) does have encryption on (WPA2-PSK) and I'm seeing that the only option for encryption in the Windows Network setup is WPA-PSK. Could this be the issue?

If not, any thoughts on what the issue is and how to resolve?
 

A:Unable to find certificate to log onto network?

Since I have to guess, I think you are attempting to attempt to a LAN through a wireless access point. Sounds more like you have it set to use a RADIUS server for authentication, rather than Pre Shared Key.

If your only encryption option availiable is WPA-PSK, then that is what you should use. Not WPA2, but WPA.

If this does not help, you will need to disclose the physical setup of your network.
 

Read other 1 answers
RELEVANCY SCORE 46.8

Hey,

I currently connect to our office server by way of an installed certificate onto my PC and then using a VPN which is first established before I can map a shared drive and work with the files stores there.

Is there a easier way of doing this ? ideally looking for a way of keeping the shortcut on my desktop and having the ability to drop and drag files between the two without having to connect and then disconnect a VPN.

This possible at all?

Cheers

A:Mapping a network drive using certificate but not a VPN - possible?

The only way to use a certificate, is if you are using a Domain. VPN is for remote file servers, not in house. If this is an issue with a remote share, then the troubleshooting needs to be done there, not at the other end.

Read other 0 answers
RELEVANCY SCORE 46

Dear All

I am using Hp520 notebook with Win Xp. When i trying to connect to Wi-Fi, the message flash "Windows was unable to find a certificate to log you on the network". I want to get rid of the problem.

I tried the following:
In the authenciation Tab, i tried to uncheck "Enable IEEE 802.1x" bt it is already disabled and also the box is disabled.

A:Windows was unable to find a certificate to log you on the network

Quote:




your wireless router is not setup for certificate security.





Quote:




That's caused by improperly setting the encryption on the Router to WPA-RADIUS instead of WPA-PSK on the client. The router and the client are both trying to find a RADIUS server with which to authenticate. Since you
don't have one, it complains using Microsoft technobabble. Change the
encryption to WPA-PSK (pre-shared key) on both ends.

Read other 1 answers
RELEVANCY SCORE 46

I recently bought two Belkin F5D7320 (v8000, latest firmware) Wireless G routers, and I'm having a very strange problem. I set one up to use WPA-PSK. Using my laptop (running XP Pro SP2), I find the SSID (using the Windows wireless utility), then I double-click on the network. I enter in my WPA key, just like I always would, and it goes through the process of acquiring a network address and all of that, but as it's doing that, I get a bubble alert in the system tray which says "Windows was unable to find a certificate to log you on to the network (SSID)."

The connection seems to still work, though; just I get this message. I have tried a few different laptops, and they get the same message. I have other wireless routers secured with WPA, and I have never gotten that message before using the new Belkin. Out of curiosity, I opened up the second identical Belkin router, applied the same WPA settings, and it seemed to do the exact same thing.

I seriously doubt it's a laptop issue, as I have used the same procedure that I have used countless times to connect to WPA-secured networks, and I have also tried this on a few different laptops, with the same result.

I searched for this message, and people almost immediately suggest that it means either the router or computer are configured to use a Radius server. Well, neither are, as far as I can tell. In fact, here are the settings for my router:

Security Mode: WPA/WPA2-Personal(PSK)
Au... Read more

A:Windows was unable to find a certificate to log you on to the network

Each WiFi adaptor has it's own setup utility, eg my Toshiba can with an
Atheros AR5005gs onboad chip and the OEM installed its own connection wizard.

Lots of people have used the MS wireless wizard, but perhaps you need to try the
OEM version.
 

Read other 5 answers
RELEVANCY SCORE 46

I tried to change my network settings from WPA2 to WEP last night and like an ***** I screwed it up. I only wanted to change it over temporarily so I could access the wireless network with another device that isn't compatible with WPA2. I ended up having to restore the Linksys router to its default settings. I then tried to recreate the settings it had before with WPA2 before I messed it up. It was on WPA2-Personal, AES, and I changed the network SSID and passwords back from default. Very basic. I didn't set the router up myself originally, though, so there must be something I'm missing.

I am able to connect via Ethernet cable, but when I try going wireless (on both Windows laptops, one XP and one Vista) I get a message saying "Windows was unable to find a certificate to log you on to the network [my SSID]". Most of the searches I ran on Google had people suggesting that I uncheck "Enable IEEE 802.1x authentication" in the laptop's wireless Authentication settings, but that is already unchecked.

Besides, shouldn't the fix have to do with something in the router settings since the wireless was working before I mucked around with the router? The laptop settings remain unchanged from the when wireless used to work so they should be okay, right?

I also tried setting the router up using Wi-Fi Protected Setup, but after the bar loads to the end it says it was unable to connect. Anyone have any suggestions? Or need more info that... Read more

Read other answers
RELEVANCY SCORE 46

gaaaaaaaahlkjdrfzvicfjvbljzcbhjxgfdhsjhzbcxjhzgvchjknvb,c
let me just get that out,

my computer was recently ravaged with viruses and i had to reformat.
i reformat.
Now whenever i try to connect it says unable to find a certificate to log you on to youor network.

im using xp and a belkin router.
all other computers on the network work fine....

Ive been readin up and the only solution i can find is "Click on the Authentication tab and now uncheck the Enable IEEE 802.1x authentication for this network box."
This option is greyed out on my computer and i cant click it,
i
have the WZC on, set on a WPA-PSK
ive tried it on both AES and TKIP and still get the same message
any more "AMAZING QUICK FIXES"

A:"unable to find you certificate to logon to the network"

System manufacturer and model?

Wireless adapter manufacturer and model?

Louis

Read other 2 answers
RELEVANCY SCORE 46

Sorry for the inconvenience, about 3 days to the date this message is appearing to me, usually when visiting microsoft sites.



This happens to me both with version 10 of ESS and Kaspersky. But it does not happen with other antivirus and version 8 of ESET Smart.

It happens in Chrome and occasionally with Internet explorer 9.

Please, I am very worried about this behavior, which had never been presented to me before.

Read other answers
RELEVANCY SCORE 45.6

i've just set up a wireless network at my place. there's 5 of us using the wifi network. so far i've gotten 4 of the laptops connected, up and running. The original computer i used to set up the network keeps showing the above error message. This message showed up in the other computers as well due to a problem with the WEP password, which has been resolved.
I have tried setting the configuration to open as well as shared but this message still keeps popping up and it cannot connect to the internet via wireless (although it works perfectly by cable) any help?
the laptop is an acer aspire 5572nwxci model running on windows xp. the router used is a dlink dir-615 wireless n router.
 

A:Windows unable to find certificate to log onto wireless network

If this remains unresolved, here is the bump. If solved by you, share your solution with others.

Having 4 other laptops to inspect for differences in the wireless configuration properties, you may have stumbled upon an obscure setting.

The router may impose limits on the number of wireless clients connected.
 

Read other 3 answers
RELEVANCY SCORE 45.2

(I'm cross posting this from
https://answers.microsoft.com/en-us/ie/forum/ie11-windows_7/a-certificate-chain-processed-but-terminated-in-a/e6895c7e-c6b9-4a96-a5f5-a4dcd40b7b45 as directed by the forum moderator there.)
Hello,

First, I have reviewed the other posts with similar questions and noted that I can install the certificate into root certificates and most likely this problem will go away, some specifics:

1) When a client reported this error using a pop.secureserver.net on an outlook 2003 client, I just figured it was godaddy or the REALLY old Outlook client, but nonetheless, I went in to troubleshoot it and was convinced it was godaddy, but when I tried
to start my Outlook 2016 client on my Windows 10 computer on their network, I got the same error.  Two notes are important: 1) I use godaddy as well and 2) I used the same computer at a different client just yesterday without a single error message.
2) They use POP 995 w/ SSL & SMTP 465 w/ SSL to pop.secureserver.net & smtpout.secureserver.net repsectively
3) I called the company that manages their firewall and was told that everything was fine, but was sent a certificate from the firewall that might fix the problem.
4) The firewall company tells me they use a fortinet firewall

I have some questions that I'm hoping one of the experts here can answer for me:

- What in a firewall setup can cause a certificate to fail as listed in the subject?
- Is there a port or configuration change they... Read more

Read other answers
RELEVANCY SCORE 45.2

Is there a rvkroots.exe available for download for the mentioned KB so that I can remediate a Nessus finding?
We are on a disconnected network so windows update is disabled in our network.
In the past we are able to just download rvkroots.exe and push it out to all our Win7 computers.

Read other answers
RELEVANCY SCORE 45.2

so whats up with this error message ??
Revocation information for the security certificate for this site is not available. Do you want to proceed? [Yes] [No] [View certificate]


i know it can be unchecked in security option under advanced. but is that really safe to do ???

Thx


Steven J Einhorn

Read other answers
RELEVANCY SCORE 45.2

I have some Windows 7 systems which have not run Windows Updates for many years, and cannot due to regulatory reasons.   We rely upon Windows to automatically update the Trusted Root Certificate store whenever we browse to a web site/web service
that uses a certificate the system doesn't recognize. 
Sometime recently, the Trusted Root Certificate Store no longer updates automatically.  The Windows Event Log shows an error stating that the certificates cannot be downloaded from:
http : // ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
If we browse to this location manually, the cab file contains an invalid Microsoft certificate. 

This was also an issue in Sept 2018.  At that time, the certificate had expired, and Microsoft eventually updated the certificate to resolve the issue.   This time, the certificate does not appear to have expired.  Why is the certificate
invalid this time, and can Microsoft fix it again?

Thanks

Read other answers
RELEVANCY SCORE 45.2

Hello,
I have 2 business laptops, one has XP, and my new one uses Vista Business. I am able to map a network drive on my XP machine, however when I try to do the same on the Vista laptop, it brings up a box that says "Select Certificate." This box is empty so there is nothing for me to select.

I cannot figure out how mapping drives (to a 2k3 server) would require a certificate on the Vista box. I tried using the straight IP address instead of using the DNS name, but I recieve the same result. I have searched the Web and haven't found any insight on this problem. If anyone has any ideas, that would be very helpful. Thank you!

Read other answers
RELEVANCY SCORE 44.8

NSE 1 is the entry level designation of the Fortinet Network Security Expert (NSE) program. It is intended to provide a basic understanding of the threat landscape facing networks today.

NSE 1 is available for anyone wishing to learn about the threat landscape and network security. It also provides the foundation for learning about the Fortinet solutions in NSE 2. Fortinet Sales and pre-sales associates and those of Fortinet Partners, are required to complete this step in order to progress to the next level of the program.
Module 1: The Bad Actors
Module 2: CIO Perspectives
Module 3: CISO Perspectives

Module 4: CFO Perspectives

Module 5: Personal Security Awareness
NSE 1 includes study materials and assessments for each module via the Fortinet NSE Institute (NSEI), including:
Current FortiGuard Labs Threat Landscape Report
Threat Landscape Video
Assessment exams
-------------------------------

Although this has a few months out there most of us didn't know about it. Take the program now consisting on 5 modules (it's very short) and earn your Level 1 certificate.

Fortinet NSE Institute

NSE 2 and 3 are not allowed if you're not related to Fortinet and the rest are paid.
 

Read other answers
RELEVANCY SCORE 44.8

Hi guys,
I just got back from vacation and suddenly can't connect to my Wifi network at home with my netbook anymore. It says validating identity but never connects. When I try to repair the connection, it keeps authenticating and then says that windows is unable to find a certificate to log me on to the network. I did some googling and it was suggested to uncheck the Enable IEEE 802.1x authentication for this network box under the Authentication tab in Wireless Network properties. I tried that but then I get an error message saying "The network password needs to be 40bits or 104bits depending on your network configuration".
I have no idea what to do or what the problem is. My other laptop works fine from which I have set up this network works fine. My phone seems to work fine, too. I already restarted the router and my netbook but that didn't help either.
I would appreciate some help!
Thanks
 

A:Solved: can't connect to home network- windows unable to find certificate?

fixed it
 

Read other 1 answers
RELEVANCY SCORE 44.4

Can someone walk me through the steps of having Advanced Threat Analytics (ATA) request a new certificate from Active Directory Certificate Services (ADCS)?  I'm not familiar with either product so I will need detailed steps please.  At a high-level
i'm guessing
1. ATA issues a certificate request
2. I send the request to ADCS
3. ADCS issues a cert for that request
4. Install new cert in ATA
I'll need detailed command line statements.  My ATA Center server is named ATASERVER.DOMAIN.ORG, and I but the URL is configured as ATACENTER.DOMAIN.ORG in ATA.  Can the cert handle both the servername and the URL?
Thank you in advance!

Read other answers
RELEVANCY SCORE 44.4

Hi,

Really confusing one here. Since this weekend (16/17 July) we have started getting Certificate errors on some sites and applications. This seems to be due to the structure of the URL compared to the "advertised" name IIS is presenting. I'll try
to explain.
I have a site, Website. This is in my domain, domain.com. Therefore the FQDN is website.domain.com. IIS is running and I can access this site through FQDN,NetBIOS or IP address. Good news.
I create a certificate for the server using the FQDN as the subject, I add the Netbios and IP addresses in the Subject Alternate Names and Bind this to port 443 on the server.
I browse to https://website and all is good. I browse to https://website.domain.com I get a certificate error. Checking the certificate, everything is fine, no errors, chain is trusted. open Chrome and do the same, I get that the certificate website.domain.com
is being presented by Website and may not be the site I want.
Using either URL has never been a problem until this weekend, but it seems that IE/Windows/IIS is not liking any URL that is not EXACTLY what IIS is presenting. so my questions are:-
Is anyone else finding this?
Can we issue a certificate that covers all possible DNS resolutions for a site?
How do I control WHAT IIS advertises itself as?
SO far this has affected two major systems on our network and I can see that more will arise, so any help would be appreciated.

Read other answers
RELEVANCY SCORE 44.4

Hiya

This update addresses the "Certificate Renewal Wizard Concatenates Certificate" issue in Internet Information Services (IIS) 5.0, and is discussed in Microsoft Knowledge Base (KB) Article Q325827. Download now to correct this issue for IIS 5.0

System Requirements
Supported Operating Systems: Windows 2000

Internet Information Services 5.0
Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server

http://www.microsoft.com/downloads/...43-c72f-4652-b912-065ee2a83c02&DisplayLang=en

Regards

eddie
 

Read other answers
RELEVANCY SCORE 44.4

In Internet Explorer, when I get a certificate error, if I continue to the web site, I can then view the certificate to see what was wrong.  However, obviously it would be preferable* to see the certificate
before I make the decision to go to the site.  Is this possible?  I'm sure I could use another browser that does this, or maybe use the F12 developer tools, or write a program.   But I'm looking
for a normal-user way to do it.  I think it used to be possible in Internet Explorer, but this might have been 6.x or even earlier.  Or even
way earlier.  Yep.  I'm that old.  I believe this feature is not in Edge either...unless I'm just missing it.  But I'm using ie11 right now.
*understatement level is set to "high".

Read other answers
RELEVANCY SCORE 43.6

Good Day



We have a problem where we encrypted files using EFS, however we can't access or decrypt these files now.

We have the certificate in the certmgr.msc but we do see that the key is missing.



I have reproduced this on another computer and was able to run certutil -repairstore -user MY "Serial Number" which worked in repairing the store and files was decryptable again.

However on the machine that encrypted the files that we need to access this is not the case as there is a popup asking for your Smart Card.

We are not using Smart Cards at all, and have had a look at the following article regarding this issue, but the hotfix didn't work: https://support.microsoft.com/en-us/kb/2955631




I have software that can remove the encryption but will require the .pfx file, which can't be exported as the certstore doesn't show that it still has this.



It is a self signed certificate generated by Windows, so I can't request a new one using the CA.


Thanks for your help in advance.

Read other answers
RELEVANCY SCORE 43.6

Hi,
Having some fun with a windows 7 setup of DirectAccess, have it configured to use ECC certificates on the client for the IPSec authentication, which was working brilliantly, we even have it loaded up behind a Citrix Netscaler to do SSL offloading of the
HTTPS tunnel encryption. But when trying to get Client Preauthentication working, we hit a snag, it seems that the NetScalers dont support ECC certificates, which is a pain, but something we thought we could work around by using an RSA certificate on the client
to performed the pre-authentication (as shown here https://directaccess.richardhicks.com/2016/05/10/directaccess-ip-https-preauthentication-using-citrix-netscaler/).
So we have three CA's, CA1/2 issue RSA certs and CA3 is setup to do the ECC ones, so nice separation of the chains.
So we have our Cert chain for RSA loaded into the load balancer and a new cert issued to the client from CA1... But, every time the client connects to the server (LB) we see the handshake taking place, the server sends a list of its DNs (CA1/2) (https://blogs.msdn.microsoft.com/kaushal/2015/05/27/client-certificate-authentication/)
to the client, but then the client looks in its store, picks out the ECC certificate (issued from CA3) and fails to authenticate saying no suitable certificate can be found, its like its not even looking at the RSA one at all.
So, thinking something was wrong with the way the LB was asking for client authentication, I tried deleting the ECC cert a... Read more

Read other answers
RELEVANCY SCORE 42.4

seems that "Microsoft Certificate Trust List Publisher" Certificate Valid:01.27.2017-04.12.2018 is missing following EKU
'Microsoft Trust List Signing' (1.3.6.1.4.1.311.10.3.1) ?!
-ExtendedKeyUsage
     -Usage
          [ oid] 1.3.6.1.4.1.311.10.3.1
          [ name] Microsoft Trust List Signing
-ErrorStatus
     [ value] 10
     [ CERT_TRUST_IS_NOT_VALID_FOR_USAGE] true
Note: KB2328240 is imho not permanently fixing this problem ! (*curing only some derivated symptoms)

Read other answers
RELEVANCY SCORE 42

I have a problem with install multiple digital certificate (PKF format) to allow access to one website with different account ID.

Every time I installed the certificate, it is working and allow me access to the website with relevance ID. However, the installed certificate will be missing if I continue to install with another certificate. The way I install the certificate is just double click on the PKF certificate that provided by the website admin, then kept click on the next button until its finish the installation steps. All the certificates will install to "Personal" certificate store folder, but the problem is only one certificate will remain.

I ever try to import all the certificate with using windows certificate manager, is allow me to import all the certificates and able to let me access to the website with select different certificate to login with selected account ID. Anyway this method is only workable if the Internet Explorer is not close after install all the certificates, once the Internet Explorer is close, then all the certificates were gone.

The motioned problem PC is running on Windows XP SP3 with latest update. And the using internet explorer is version 8 with latest update as well.

I had try to reset the Internet Explorer to default, but is not working so, appreciate is anyone can guide me to solve this problem

A:PKF certificate missing after new certificate was installed

Under "Content" in Internet Options, are all your certificates there? Mine are. Either your Admin. or the issuer should have your answer. Some PKFs are not compatible with all OSs or Browsers. Try downloading certificates to Firefox or Chrome and see if that works.

Read other 2 answers
RELEVANCY SCORE 42

I based my actions amongst others on this source:https://www.adlerweb.info/blog/tag/procurve I am using openssl to create my own CA for my company's switches etc.  and i am having trouble with a number of recent procure switches. I created a root CA (2048 bits rsa, sha1 so as not to make things too difficult)I created a custom TA called "netwerk", uploaded the CA root certificate, so far so good Created a CSR:crypto pki create-csr certificate-name sw1113  ta-profile netwerk usage web subject common-name sw1113 key-size 2048 the rest of the info and extensions like CDP alternative names etc. is being pushed while signing in openssl via an extensions file resulting CSR processed with openssl (keeping it a simple 2048/sha1 leafcertificate) Signed this CSR with the afore mentioned and uploaded root certificate: Resulting PEM pasted to install the generated leaf certificate sw1113(config)# crypto pki install-signed-certificatePaste the certificate here and enter:-----BEGIN CERTIFICATE-----MIIEGjCCAwKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCTkwx.....ASCspazUcVeCueTvvVLr4UPObJB1/IBHKHCwkN7nuaTHuiDD8tQzOlWaxry4MsEFGXojuFv1YtFAtlgLlwxvqndi2NysNyqcnZR1o4l0qe4eSrIlUrCyrvyieK5rdQ==-----END CERTIFICATE-----Certificate being installed is not signed by the TA certificate. So, what is going on? The leaf cert is definitely signed by the root cert that was uploaded as TA cert.    Would really appreciat... Read more

Read other answers
RELEVANCY SCORE 41.6

Option "Find Certificate" is missed when I try to edit certificate on another computer using mmc.Could you please let me know how can I solve that? I'm sure I'm admin on the remote machine.

Read other answers
RELEVANCY SCORE 40.8

Running Windows XP Service Pack 3.

I set this up last night on my own wireless network and it worked fine. I have brought it to another location and I'm getting this error when attempting to log on wirelessly. Both routers are running the same type encryption with the same key.

"windows is unable to find a certificate to log you on to the network"

When the above error disappears, I see the list of available networks with the network I just attempted to connect saying "Validating Identity". That message stays there continuously and I have no throughput.

I have verified the time and date on the computer is correct. Other Windows 7 laptops at this location are working fine wirelessly.

I have tried the advice at this location with no luck.
 

A:Solved: "unable to find a certificate to log you on to the network"

Read other 9 answers
RELEVANCY SCORE 40.8

I was trying to enroll as a user on a faa.gov website. I am able to access the website, but unable to complete user registration due to the following error:
SSL certificate verification error (ssl failed)

I then went to my proxy settings and added this website as a trusted website and checked the box for certification required. I returned to the website and tried again and now receiving the following message:
Network Error (tcp_error)

I am now navigating into unfamiliar territory and don't have the skills to resolve this. I need help, PLEASE!!

Windows Vista
Chrome
website: eapis.cbp.dhs.gov
 

A:ssl certificate verification error (ssl_failed) & Network Error (tcp_error)

Read other 12 answers
RELEVANCY SCORE 35.6

Can anyone tell me what NT Authority\Local Service and NT Authority\Network Service are?

They have both shown up as logins on my Belarc system report and I haven't got a clue as to what they are.

Cindy

A:What is NT Authority?

From Microsoft.com

"Local Service Account
The Local Service account is a built-in account that has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard the system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session without credentials. Be aware that the Local Service account is not supported for the SQL Server or SQL Server Agent services. The actual name of the account is "NT AUTHORITY\Local Service account"."

The Network Service is essentially the same thing but for networking aspects of your machine. The way I understand it, they are local accounts that run background processes but keep your machine more safe should something be compromised.

Hope that helps.

Read other 1 answers
RELEVANCY SCORE 35.6

Hi all
i am having a problem with the NT AUTHORITY " message popping up that was part of the Blaster virus thing. i have d/l the fix tool from symantec and it says its not there. i have included a Hijack this log.

Logfile of HijackThis v1.97.2
Scan saved at 9:40:07 AM, on 9/28/2003
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG6\avgserv.exe
C:\PROGRA~1\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Grisoft\AVG6\avgcc32.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zapro.exe
C:\Program Files\WinAce\WinAce.exe
C:\Documents and Settings\mike\Local Settings\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/ymsgr/defaults/sb/*http://www.yahoo.com/ext/search/search.html
R3 - URLSearchHook: (no name) - {D6DFF6D8-B94B-4720-B730-1C38C7065C3B} - (no file)
N2 - Netscape 6: user_pref("browser.search.defaultengine&quo... Read more

A:Nt Authority

Read other 7 answers
RELEVANCY SCORE 35.6

So, there is this computer is having issues with the NT Authority thing with the shutting down along with other various trojans.. This computer also has no anti virus and can't boot up without safe mode because it will auto shutdown. It has AVG but its broken and uh.. won't work. I've ran Ad-Aware, SmitFraudFix for the reappearing annoyances of Brave Sentry and installed a windows patch for the NT authority vulnerability. But now, I still get problems. And I can't find the firewall on it.
Here's HJT log:
 

A:NT Authority ..

Read other 7 answers
RELEVANCY SCORE 35.6

...stop it from rebooting my computer when I start disabling svchost?

I have NT service pack one and never upgraded to any others because the first one is giving me enough hassles. It's created docs and hidden folders on C: that Windows can't access and I have to diddle around in DOS to find them.

Which also leads me too - what is the DOS command to reveal hidden files/folders and remove the Read Only property from them?

Read other answers