Over 1 million tech questions and answers.

How Do I Distribute Trusted Root Certificates for Client Machines?

Q: How Do I Distribute Trusted Root Certificates for Client Machines?

We have client machines on IE11 that cannot connect to common websites using https (Facebook, Reddit etc.) because they do not have the Trusted Root Certs installed.
Until 2014 Microsoft released updates to Trusted Root Certificates via KB patches.
Since then they have advised customers to rely upon the process of Windows Update connecting to Microsoft servers to process the CTL (Certificate Trust Lists).
Question 1: Are clients sitting behind a proxy server able to download and process these lists? Our client machines clearly show that they are not able to resolve the update servers, so I assume not.
According to this article from 2014 - https://technet.microsoft.com/en-gb/library/dn265983.aspx

"The list of trusted root certificates is available as a self-extracting IEXPRESS package in the Microsoft Download Center, the Windows catalog, or by using Windows Server Update Services (WSUS). IEXPRESS packages are released at the same time as the trusted
CTL."
Question 2: Where can I find that/any of those packages?? They are not easy to find, evidently I am searching for the wrong thing via Google/Bing/Windows Update Catalog
If the latter does not/no longer exists, how do we obtain new/replacement Trusted Root Certs, and how should we distribute them around our estate?

Read other answers
RELEVANCY SCORE 200
Preferred Solution: How Do I Distribute Trusted Root Certificates for Client Machines?

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 97.6

SOmetime i face issues with the root certificates on a newly deployed machine.
Once the fully patches image is deployed and joined the domain -- gets all policies etc 
somehow when i browse internet https://google.com or lets say https://bing.com i get certificate errors in IE
We use Windows 7 X64 Ent -- Fully patched
What i realized on the system where i faced this issue is it is missing the 
Equifax Secure Cert Auth / Geo Trust / DigiCert Baltimore Root  
From trusted Root Certificate store

I am not sure why this should happen on a fully patched system and why only on some all the machines are deployed form the same image.
Any advice on how i can get the trusted Root certs -- i do not want to manulaly import each cert 1 by one.

Read other answers
RELEVANCY SCORE 96.8

Hello,

I am dealing with big problem on multiple workstations in our company. Many Windows 7 computers and one Windows XP computer have all Root CA certificates not trusted so I cannot import new certificate generate by Certification Authority in our Country.

I noticed this problem recently and after two days on google I couldn't find solution to this.

If I open mmc and select Certificates - > Computer -> Trusted Root Certification Authorities I see all certs on computer but after I check any they show this in General info about Cert:

This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

Or:

This root certificate appears to be trusted by the remote computer. To ensure this root certificate is valid on the remote computer, verify this root certificate on that computer.

This goes for all certs (Microsoft, Thawte, Go Daddy, GeoTrust...) and even for our certificates generated by our internal CA.

We push only Critical and Security Updates from our wsus server. Affected computers have installed all updates.

We have firewall and don't allow full access to internet but I tried to give one computer with this issue full access to internet and reboot couple times but that didn't help.

Screenshots: http://imgur.com/a/HCGWo

Read other answers
RELEVANCY SCORE 95.6

Hi.

We have many trusted root and intermediate certificates in the cert's store by default. Where to check these lists? To exclude "not default", "maybe potentially mаlware" root certs.

A:Trusted Root&Intermediate system certificates. Where check the list?

You can find certs as shown in the guide here: https://www.sslshopper.com/move-or-c...ws-server.html

Read other 9 answers
RELEVANCY SCORE 94.4

http://download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/rootsupd.exe 
to the point this link is dead, where can i alternative download this 

Read other answers
RELEVANCY SCORE 73.2

We are experiencing this problem with a few workstations and laptops and what we are currently doing is exporting the CA certificate from a workstation that has it in its store and importing it. The problem with this is that the certificate will eventually
expire and we will have to re import a new one again. I don't believe it is a group policy issue because other computers in the same OU are not missing the certificate.

Cany anyone shed light on how to troubleshoot this or how to force (if possible) the workstation to download the CA certificate?

Thank you in advance.
Jose

Read other answers
RELEVANCY SCORE 73.2

Hello,
I've a very nasty issue with root CA certificate that's disappearing from the trusted root authorities store. I'll shortly describe the environment: 
- Two tier PKI infrastructure with a offline, standalone root CA and a domain joined Enterprise issuing CA (both W2012R2); root CA certificate is published in AD
- There's a parent and child domain. Issuing CA lives in parent domain (2012R2 domain&forest level)
- Employees are working on a 2012R2 RDS&Citrix XenApp 76 server in the child domain
- In the parent domain several servers are using a SSL certificate signed by the company owned issuing CA; it's a SAN certificate
- The root CA's certificate is in the Trusted Root Certification Authorities store of all member servers in parent & child domain (so, that's also valid for the 2012R2 RDS servers)
The issue is that the certificate of the root CA that's in the trusted CA store of all RDS servers is being deleted on a regular base (at least once a day on each RDS-server). I enabled CAPI2 logging, but I couldn't find anything that makes sense. However
I'm able to reproduce this issue in very simple way: if I start IE11 on a RDS-server and browse to the IP-adres or NETBIOS-name of a webserver that host a site that's using a certificate from our PKI (so, it's clear that the URL isn't matching the names entered
in the SAN certificate) and I click on 'Continue to this website (not recommended)', the root CA's certificate is being removed from trusted... Read more

Read other answers
RELEVANCY SCORE 70

I am working on the network security domain and i would like to know what is Microsoft's stand on the Symantec certificates.
Will they be continued to be trusted on Internet Explorer ? Will the websites using Symantec certificates , when accessed through IE, show some error messages ?  I am asking this question as i couldn't find an answer/ statement from Microsoft if Symantec
certificates will remain to be trusted or if the certificates would be distrusted.

Read other answers
RELEVANCY SCORE 70

Certificate authorities provide websites with a certificate for a limited time before renewal which proves site is safe to visit, but what if site changes its modules after getting certificate ? There is a periodic check done by CA's to stop this but how regular is that ? And even after checking if the website is found harmful the certificate is revoked but the browser may not be capable of using both method together
Online Certificate Status Protocol (OCSP)
looking up the certificate in a Certificate Revocation List (CRL).
So is trusting CA's a good option ?
 

A:Can certificates issued by CA's be trusted ?

I think certificates of trust are long-obsolete. The whole system is in need of a revamp, but it won't be done because it would cause mass disruption - and everyone will complain that it will cost too much money.

Can they be trusted ? - not absolutely.
 

Read other 1 answers
RELEVANCY SCORE 68.8

I'm trying to figure out a way to use use command line only to automate the deletion of all trusts/certs that are listed in "Trusted
Publishers -> Certificates" in  in order to clear the list.  This would be a huge help if anyone knows how to do it.  If I can wipe out all the certificates in "trusted publishers -> certificates" without listing each specific
cert serial number, that may even be easier. This will be used for driver QA. We are trying to prevent oversight of WHQL warning messages when we run driver installers.  Once a publisher is always trusted, this appears to be the only way to get the popup
warnings reset so they come back  Being able to clear all trusts with a script would be very helpful.    If we can't delete them all at once, is there is a way to gather all of the cert serial numbers in trusted publishers -> certificates
using certutil?  

Read other answers
RELEVANCY SCORE 66.4

yesterday i posted a question,and i didnt recieve any feedback. i dont know if i didnt explain it good enough or what,but anyway,all i wanted too know was how too update my root certificates in windows 98se.
 

A:root certificates

Have you gone to the Microsoft Windows Update site? You can also go here and install a new root certificate, and also read all about it. https://www.verisign.com/support/site/update.html
 

Read other 1 answers
RELEVANCY SCORE 65.6

I run Win XP/Home SP 2 and I use OE 6 and Firefox 1.5. I also have installed AVG Free 7.1.375; Spybot v. 1.3; Ad-Aware SE v. 1.06r1

I recently decided to carefully examine the Internet Options I have enabled. I selected “Trusted Root Certification Authorities”:

Control Panel/Internet Options/Content/Publishers/Trusted Root Certification Authorities

and was considerably surprised. There were a large number of entries, most of which I could not identify (a smaller list with identical names appears under the “Intermediate Trusted Authorities” tab). Many were not even in English. I went through the list, clicking on each one to identify the “Certificate intended purposes.” Here is the list of purposes displayed (which I did not find helpful on identifying the source):

Secure Email, Server Authentication

Secure Email, Client Authentication, Code Signing

Secure Email, Client Authentication, Code Signing, Server Authentication

Time Stamping

Server Authentication, Client Authentication, Code Signing, Secure Email, Time Stamping

Server Authentication

Aside from a few certificates from Microsoft, most were not identifiable, not even those with the “Client Authentication” purpose. Not even clicking on the “View” button helped me identify them. I assume that some, if not all, of these certificates were stored when I connected to a site that is protected in some way and the dialog box that includes “accept for this session only” was displayed—which occurs frequently... Read more

Read other answers
RELEVANCY SCORE 65.6

Hi,
Actually, due to proxy problems, we have prohibited Windows clients from automatically updating their Trusted Root Certificates Authorities. We manage this by deploying the "Update for Root Certificates [November 2009] (KB931125)" update using WSUS.
Most of our workstations are Windows XP, and now we are working on deploying Windows 7. How can we handle the problem described above? I mean, the Update for Root Certificates is designed for Windows XP. I see that Windows 7 workstations won't receive it from WSUS. We tried to manually install the update on some machines and it worked, but it will be a hard task to update all machines manually :o)
Tks in advance,Eduardo

Read other answers
RELEVANCY SCORE 64.8

Hello,

I work for a company that use a disconnected network.
We have recently, I know a  bit late, implemented the new recommended way of pushing down root certificates to the network.
However, before this new recommended way of providing machines with root certificates was introduced, as you are aware, Microsoft included them in KB's such as KB931125.
This KB installed the Root Certificates to the local store on the machine. Which was fine at the time as when a new KB for root certificates was released, it would removed expired certificates and introduced new ones if needed.
Now the issue we are experiencing is, now that we are using the new way of pushing down Root Certificates (via Group Policy), we want to be able to remove the locally stored certificates to keep the certmgr.msc clean and uncluttered.
With the locally stored root certificates &  GPO applied, we see around 748 certificates. This is because there are duplicates & old certificates on the local store.
Without the locally stored root certificates & GPO applied, we see around 360 certificates.

Is there a way of doing this via a script that we can advertise to machines?

Many thanks. 

Read other answers
RELEVANCY SCORE 64.8

I am running win2k SP4.
I tried to install update for root certificates
Root Certificates Update
Download size: 189 KB, < 1 minute
This item updates the list root certificates on your computer to the latest list that is accepted by Microsoft as part of the Microsoft Root Certificate Program. Adding additional root certificates to your computer enables a greater range of security-enhanced Web browsing, secure e-mail, and secure code delivery applications to work seamlessly. This update includes root certificates from Verisign, Thawte, and Post.Trust in Ireland. Read more...
Click to expand...

It wouldn't install, and I've reviewed and tried to install 4 times now. I can't see link to read more as I just get 'page cannot be displayed. Can someone suggest something?
Thanks in advance for any help.
 

A:Windows update for root certificates

^^^BUMP^^^

Anyone?
 

Read other 1 answers
RELEVANCY SCORE 64.8

I want to integrate current certificates (root, disallowed) into Windows 7 installation ISO.
How to do it (DISM?) and what cert files do I need:
404 - File or directory not found.
http://ctldl.windowsupdate.com/msdow...uthrootstl.cab
http://ctldl.windowsupdate.com/msdow...wedcertstl.cab
?

Read other answers
RELEVANCY SCORE 64.8

Microsoft Article ID: 931125The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products...http://support.microsoft.com/kb/931125You can get this update by running Windows Update.

Read other answers
RELEVANCY SCORE 64.8

I have been offered an optional update for root certificates for Windows Vista. Should I install it.

A:Root certificates for Windows Vista

Yes - In my opinion it should be uprated to a critical update!

Read other 3 answers
RELEVANCY SCORE 64

I want to deploy CA certificates to some of my users who are using Firefox. It looks like Firefox uses a different certificate store than IE.
Can you let me know if we can use Group Policy to some how push these certs into the Firefox Certs Store

Thanks

A:Deploying Root Certificates to Firefox Browser

Yes you can probbaly use GPO (because you do about anything using GPO when being creative) but what is required depneds on the application.
 I would recommend seeking support from Mozilla. As I remember, they offer a commandlien utility to configure the certificates, so you could use a loginscript to configure it for each user.MCP/MCSA/MCTS/MCITP

Read other 2 answers
RELEVANCY SCORE 64

After deleting expired root certificates, I cannot open any of my word documents! All I get an un-numbered error saying that the "file is not available".

Also, if I create a new document and save it, I will not be able to access it afterwards. All I get is the above message.

Can anyone help me?
 

A:Problems after deleting expired root certificates

Read other 11 answers
RELEVANCY SCORE 63.2

A week ago, I installed a fresh Win7 Home Premium on my laptop-A. After all the Windows Updates, I took a look inside the Trusted Root Certification Authorities, I found some entries appear twice. e.g. there are two Thawte Premium Server CA, and few other entries I known not there.

I check my another laptop-B which had been used for 3 months. the certification entries there are correct.

1 week later, I have a look at laptop-A again, some entries changed and there're still two Thawte Premium Server CA.

I wonder what's going on and how to fix it? does the root certification get updated itself automatically?

A:Trusted Root Certification Authorities in IE8

Welcome to Seven Forums Summer4Ever. They are updated on a "as needed" basis. As you visit a site, they will be checked and updated.






Quote:
Root certificates on Windows Vista and later are distributed via the automatic root update mechanism ? that is, per root certificate. When a user visits a secure Web site (by using HTTPS SSL), reads a secure email (S/MIME), or downloads an ActiveX control that is signed (code signing) and encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If it finds it, it downloads the current Certificate Trust List (CTL) containing the list of all trusted root certificates in the Program, and verifies that the root certificate is listed there; it then downloads the specified root certificate to the system and installs it in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error. To the user, a successful root update is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically. In addition, Windows Vista and later client SKUs support weekly pre-fetching from Microsoft Update to check for updated root certificate properties (for example, extended validation (EV), code signing or server authentication properties, which are certificate properties added to a root certificate). ... Read more

Read other 1 answers
RELEVANCY SCORE 63.2

On a client machine running Windows 7 Professional there is only smartcard and registry option available. I need to import a certificate to computer account - trusted root CA.
MMC - Add/Remove - Certificates - Local Computer

Read other answers
RELEVANCY SCORE 63.2

if i delete these what will happen.... i have no "trusted publishers" but i do a bunch of "trusted root certification authorities"

thanks
sd
 

A:trusted root certification authorities

If you delete all your root certificates, you will get a security alert when your browser attempts to establish an SSL connection. The alert will say that the root certificate is not trusted and will ask you if you wish to continue or not.

Any particular reason you want to delete these?

Actually, now that I am thinking of, there may be other problems that occur is you delete these. I'm thinking of things like Microsoft digitally signed drivers and such. Some of those certificates may be needed for things other than an SSL connection. I don't know.
 

Read other 2 answers
RELEVANCY SCORE 62.8

OS: xp pro, sp2
2nd party OEM install-- I do not have installation disk nor CD-ROM i386 image
computer: dell optiplex, bought used

Original problem began when I was trying to fix an incomplete TrendMicro subscription install. Their tech support had me uninstall/reinstall using several methods. None resulted in a complete install. I resorted to self-help and read on their Q&A about some drivers failing to install due to a corrupted digital signature database. The recommended fix was to update Root Certificates in the Control Panel add/remove Windows Components.
During the update process, a window message popped up: "setup was unable to build the list of files to copy for MSN Explorer. The specific error code is 0xe0000102. Setup will continue but component may not function properly."
The message was right-- MSN Explorer doesn't function at all. Worse, thinking I could maybe fix MSN Explorer by uninstalling/reinstalling, I discovered the Control Panel add/remove Programs is broken, too; some additional MS programs are shown sans accompanying install dates/sizes. A safe mode system restore did not fix either problem, but did generate a duplicate of the faulty MSN folder. Good news is that IE7 seems to be ok, so I've done a lot of reading.
I have found multiple i386 folders on C:\ --one in Windows\Driver Cache, three in Windows\system32\Reinstallbackups\xxxx\driver files, two in ProgramFiles\Java\ and one in Windows\ServicePack in which I see setup.exe ... Read more

Read other answers
RELEVANCY SCORE 62.8

Windows 7 -64-Bit , 64-Bit Computer CPU System Usage..,                 Everything 64-bit, 8GB Ram
64-Bit then ,32-bit  versions try and format 64-bit.... Third-Party Root Certificates 64-Bit 
Won't Computer& won't read dvd

Read other answers
RELEVANCY SCORE 62.8

Hi,

I have an internal website requiring the user to provide a client certificate to allow access. On my client computer I have installed my user certificate and it shows up in the certificates list in IE8.

However, when I try to access the website I get an 403.7 error in the IIS log (client certificate required). IE doesn't even ask me for a certificate but just displays a blank site.

If I try browsing the website from the same client computer but using the Google Chrome browser, everything works just fine.

I have tried altering the various IE security settings and adding the site to Trusted sites etc. but haven't been able to solve the issue.

Any help would be greatly appreciated.

Erik

Read other answers
RELEVANCY SCORE 62.8

I'm aware that SHA-1 server certificates that chain to Root CA certificates within Microsoft's Trusted Programme are unsupported by Edge and IE11 on Windows 10, as of a couple of years ago.

We have an IIS web farm hosting our ASP.NET systems. The server uses a root certificate that, while was generated using SHA-1, is not part of the Trusted Programme and therefore has no problem when being used to connect to it securely; the problem is that some
of our applications require smartcard authentication, which as soon as they're prompted to enter the PIN, Edge/IE11 kills the connection.

It's as if Edge/IE11 won't allow the transmission of SHA-1 based certificates.

One strange caveat to this is that if I force IE11 to use only deprecated TLS versions (i.e. TLS 1.0) then it works, in that the smartcard certificate is transmitted and used to authenticate. If I force IE11 to use TLS 1.2 then it fails.

Using certutil I'm
able to determine that the smartcard client certificate was generated using SHA-1 and is also signed by the Root CA certificate used on the server.

IE11 works perfectly fine from Windows 7, so I assume the security policy only affects W10 versions.

Did I miss an announcement that this would also affect client certificates? The original announcement made it clear this would not be the case (taken from a Microsoft blog)

How will SHA-1 client authentication certificates be impacted?

The mid-2017 update will not prevent a client using ... Read more

Read other answers
RELEVANCY SCORE 62.8

Hi,

I have an internal website requiring the user to provide a client certificate to allow access. On my client computer I have installed my user certificate and it shows up in the certificates list in IE8.

However, when I try to access the website I get an 403.7 error in the IIS log (client certificate required). IE doesn't even ask me for a certificate but just displays a blank site.

If I try browsing the website from the same client computer but using the Google Chrome browser, everything works just fine.

I have tried altering the various IE security settings and adding the site to Trusted sites etc. but haven't been able to solve the issue.

Any help would be greatly appreciated.

Erik

A:IE8 and SSL Client Certificates issue

SOLVED:

I figured out, that for some reason, when running IE on Windows 7 requests for client certificates must be performed using the "Advanced certificate request" link on the /certsrv website.

I have no idea why, but it works.

Erik

Read other 1 answers
RELEVANCY SCORE 62

For the past two weeks I have been having problems with MS Update Site. I would attempt to scan for updates and only get 0-100% quick scan not giving me anything to update.

To make things worse, I started to get a bunch of root certificates pop up like mad every time I wanted to access a site, strangely I would get it from Hotmail, WAMU, Citibank.... You would think these would be the least....

Lastly, I noticed every time I would attempt to cookie my sign in say for example "techguy.org" or any other tech support site.. I wouldn't work. That really started to annoy me. Today while surfing the virtualdr boards, I found a thread relating to this problem. To my surprise the solution was very easy...

The problem was all in the date and year of my PC. I had Nov 29, 2019! The thread continued on how having an invalid date would mess with your cookies. So I corrected, restarted, checked BIOS, fired up XP and BAM! Everything was fixed.... Updated via MS updater, no more root pop ups and cookied like a good cookie should do
CHEERS

~R~
 

Read other answers
RELEVANCY SCORE 62

https://internalwebsite.domain.local has a self-generated certificate. I browse to that site, I get a certificate warning about how it's not issued by a trusted certification authority. as expected.

I click continue, I click the certificate error, I click view certificates. issued to internalwebsite.domain.local, issued by internalwebsite.domain.local. I click install certificate, I put it in my local machine's Trusted Root Certification Authorities
store. I exit out and close IE. I open MMC certificates snap-in and verify that the certificate is in the Trusted Root Certification Authorities store.

I go back to the site, I still get an error saying the certificate was not issued by a trusted certificate authority.

same thing if I put the cert in the current user's trusted root certification authorities store.
huh?

Read other answers
RELEVANCY SCORE 62

I always get these little windows that pop up telling me about certifications blah blah blah and that the other page has expired etc. I get this when I do my online banking, credit billing, and hotmail reading. Is there anything I can do to stop this annoyance?

~R~
 

A:Disabling notifications of trusted root certification authorities

Read other 9 answers
RELEVANCY SCORE 62

Is there a Powershell or WMI script that we can run to find out whether remote computers have the trusted root certificate installed on their computers?  
Thanks,

Brian

Read other answers
RELEVANCY SCORE 62

Hi,
I have setup a test network to try 802.1x and have stumbled across an issue with the with the "Trusted Root Certification Authorities". No matter which authority I select, the client connects anyways - although the connection should not be established.
To clarify:
Radius Server RadA has received it's certificate from the domain CA CADOM.
Now on the Windows 7 Client I have set "Validate Server Certificate" and just selected GeoTrust Global CA - so some CA that definitely has NOT signed the Radius server's certificate. 
The client connects without any issues - this should not be the case according to my understanding. I expect the client to deny the connection, because the certificate presented has been signed by CADOM and not by the allowed GeoTrust.
Can somebody explain this behavior?

Thanks
Tom

Read other answers
RELEVANCY SCORE 61.2

Hi,

Suppose all employee have certificates on their local machine (which join company domain). 
This certificate is issued by Active Directory Certification Services 
and all employee request and get this certificate automatically by group policy.

Right now I can export this certificate along with its private key in .pfx format by using <g class="gr_ gr_18 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace" data-gr-id="18" id="18">mmc</g>
interface.
I'd like to know how can I get all user certificates along with their private key in .pfx format automatically without have the user go to export via <g class="gr_ gr_19 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del multiReplace"
data-gr-id="19" id="19">mmc</g>. 

I'm trying to implement <g class="gr_ gr_20 gr-alert gr_spell gr_inline_cards gr_run_anim ContextualSpelling ins-del" data-gr-id="20" id="20">server-sided</g> digital signature service using SignServer-by Primekey which
is opensource software. I plan to put all .pfx I obtain on server HSM. This will <g class="gr_ gr_24 gr-alert gr_gramm gr_inline_cards gr_run_anim Grammar multiReplace" data-gr-id="24" id="24">provided</g> server-sided
digital signature services for all employee. (There will be some sort of authe... Read more

Read other answers
RELEVANCY SCORE 60

We are experiencing issues only on Vista Home Edition removing an SSL cert from the Trusted Root Authorities with no warning display or anything.

We have gone through all logs, etc, with no resolution to why this is happening. It appears to happen about every 2 weeks.

The easy fix is placing the cert back into Trusted Root Authority, but we need an explanation.

Read other answers
RELEVANCY SCORE 59.2

I was wondering if it's possible configure a Windows 2019 IIS v10 hosted Web Server to perform OCSP checking of client certificates that are used to authenticate?

It is my understanding that typically the Responder URL that the Web Server contacts in order to validate the client cert is extracted from the AIA attribute in the client certificate. But is it possible to override/supplement this with an additional Responder?


For instance, what if I set up an OCSP Responder in the same domain as the Web Server and associated its revocation configuration with the SUB CA binded to the IIS Site. Now if client certs come in for authentication  and have an unrelated OCSP Responder
in their AIA, can I somehow tell the Web Server to check also the aforementioned Responder that has been stood up in the domain?

A:OCSP Based Validation for Client Certificates Using Responder Defined by Web Server

Per a reply from Mark B. Cooper at PKI Solutions this is indeed possible. You must edit the following GPO in order to override the default behaviour of the web server which is to only check the Responder URL specified in the client certificates' AIA extension.
Default Domain Policy > Computer Configuration >  Policies > Windows Settings > Security Settings > expand Public Key Policies
Once a custom Responder is specified in the CA / SUB CA's revocation properties the above GPO will allow it to check that custom Responder URL first, then ocsp as defined in the AIA extension and then CRLs
Thanks Mark!
EDIT:
Will post reference links once MS verifies my account.

Read other 1 answers
RELEVANCY SCORE 57.6

Does anyone have any experience with Microsoft's Thin Client servers and machines? I would like to set up a small network using thin clients but have not heard much about it. Any tips, suggestions, stories, etc.?
 

Read other answers
RELEVANCY SCORE 56.8

Hi,

I have a 9 PC LAN running in my office, it's only a small business and I maintain it myself.

Current setup is Windows Advanced Server 2003 setup as the Domain Controller with Active Directory, logging into that are up to eight Windows XP machines.

What I am after doing is having all 8 XP clients take their time from the Server (regardless of the user that logs on) rather than running their own times, to ensure they all stay in sync. Can anyone tell me how to do it or if it can even be done?

Thanks
 

A:Solved: Time on client machines on a small LAN

Hi,

Here is all answers http://support.microsoft.com/kb/314054/en-us
If those 8 PCs joined to domain, they should get time from domain controler by default. Start, run, cmd > w32tm /resync, and then press ENTER
http://support.microsoft.com/kb/307897
 

Read other 2 answers
RELEVANCY SCORE 56.4

Hello,

Not sure if this is possible. Using DHCP or maybe even Group Policy. Can I set Outlook to automatically configure the exhange server settings? I would like not to have to go to 100 client machines to configure this.

Thanks,
Tony
 

Read other answers
RELEVANCY SCORE 56.4

we got recommendations from security team to stop server service on client machines, we want to be sure that there is no effect will happen if we disabled this service
what is the effect when we disable server service on client machines in an environment that has
AD 2012 R2
client machines 
windows 7 
windows 8 
windows 10



Ahmed

Read other answers
RELEVANCY SCORE 56.4

 
Developers who use the official Git client and related software are being urged to install a security update that kills a bug that could allow attackers to hijack end-user computers.
The critical vulnerability affects all Windows- and Mac-based versions of the official Git client and related software that interacts with Git repositories, according to an advisory published Thursday. The bug can be exploited to give remote code execution when the client software accesses booby-trapped Git repositories.
"An attacker can craft a malicious Git tree that will cause Git to overwrite its own .git/config file when cloning or checking out a repository, leading to arbitrary command execution in the client machine," Thursday's advisory warned. "Git clients running on OS X (HFS+) or any version of Microsoft Windows (NTFS, FAT) are exploitable through this vulnerability. Linux clients are not affected if they run in a case-sensitive filesystem."

 
 

Critical Git bug allows malicious code execution on client machines
 
.

Read other answers
RELEVANCY SCORE 55.6

(I'm cross posting this from
https://answers.microsoft.com/en-us/ie/forum/ie11-windows_7/a-certificate-chain-processed-but-terminated-in-a/e6895c7e-c6b9-4a96-a5f5-a4dcd40b7b45 as directed by the forum moderator there.)
Hello,

First, I have reviewed the other posts with similar questions and noted that I can install the certificate into root certificates and most likely this problem will go away, some specifics:

1) When a client reported this error using a pop.secureserver.net on an outlook 2003 client, I just figured it was godaddy or the REALLY old Outlook client, but nonetheless, I went in to troubleshoot it and was convinced it was godaddy, but when I tried
to start my Outlook 2016 client on my Windows 10 computer on their network, I got the same error.  Two notes are important: 1) I use godaddy as well and 2) I used the same computer at a different client just yesterday without a single error message.
2) They use POP 995 w/ SSL & SMTP 465 w/ SSL to pop.secureserver.net & smtpout.secureserver.net repsectively
3) I called the company that manages their firewall and was told that everything was fine, but was sent a certificate from the firewall that might fix the problem.
4) The firewall company tells me they use a fortinet firewall

I have some questions that I'm hoping one of the experts here can answer for me:

- What in a firewall setup can cause a certificate to fail as listed in the subject?
- Is there a port or configuration change they... Read more

Read other answers
RELEVANCY SCORE 55.6

We have (as in develop and publish) a Java Telnet/TN5250 client that works beautifully on most systems. And so far, we've found nothing in it that could be causing the problem at hand. (And we've driven ourselves nuts trying to find something).

It seems that two particular machines, one being a test box, running Win2k and the latest Java 1.6, the other a customer box, running (I think) XP and the latest Java 1.6, have a problem if this program is talking to a particular AS/400 (the customer's). At some point after the initial connection is established (sometimes in the protocol negotiations, sometimes after the TN5250 session is established, and the user is signed on and trying to do useful work), the machine will go into a mode where it oscillates between seemingly normal responsiveness and total nonresponsiveness (with a frozen mouse pointer), typically spending a few seconds in each state. Eventually, WinDoze becomes responsive again, but can no longer access anything (and I do mean ANYTHING; no Internet, no shared folders on our LAN, NOTHING) through its Ethernet connection.

It's only known to happen on those two machines, and only with a Telnet connection to that particular host.

Our most recent theory was that our Telnet application was getting into some sort of argument with something else running on the machine, and so we tried getting rid of everything known to have a background task on the test box. Now, instead of only crashing TCP, it crashe... Read more

A:Weird behavior -- Java TN5250 client crashes only certain machines

More information:

It seems the crash (at least now that it crashes the operating system instead of just Ethernet) leaves something in EventViewer:

The computer has rebooted from a bugcheck. The bugcheck was: 0x000000d1 (0x00000114, 0x00000002, 0x00000000, 0xbfeb1c5c). Microsoft Windows 2000 [v15.2195]. A dump was saved in: C:\WINNT\Minidump\Mini062707-03.dmp.

I have a copy of the dump, but I don't know what to do with it.
 

Read other 3 answers
RELEVANCY SCORE 54.4

Hello, I always use web-based email via the browser at home. I do not use an email client(well in the office we have Outlook). I'd like to use Thunderbird at home with a Gmail account that can be used by the kids. Now I am using Avira IS 2012 and would like to make it scan emails through it's mailguard component. I have seen Thunderbird work with Avast IS on my brother's pc but I see that for it to scan all emails the SSL/TSL should be deactivated. I was asking the tech guys at the office about email clients, digital certificates etc and they only remarked "google it"...wow... So I came here....Now my questiosn are: a. Is it safe to disable SSL/TSL in an email client? In the office we have that(with Norton Enterprise) and I see an indicator at the bottom of the email message that it was scanned by Norton. b. Can there be an application that can allow me to have SSL/TSL at the same time have Avira scan my emails...? I searched google and found out that in Avira it also has to be disabled to let it scan all emails. c. SSL/TSL is encryption right..? Does not using encryption in email okay..? I mean at home. In the office it's important but at home...opinions please..d. What ports for POP3 IMAP SMTP should I allow Thunderbird to use In the firewall( I use Comodo). If Thunderbird wants connections via other ports other than the default ones...should I allow it or not..?e. Can an email client be run inside a sandbox? Is it sane enough or crazy..? Just... Read more

A:Thunderbrid email client, Comodo Email Certificates, Avira IS 2012 questions

I would highly recommend that you keep TLS/SSL enabled this makes sure that your password and user credentials are not sent in the clear.

if the AV needs to have this disabled then its not a good AV..

The ports are on the setup page for Gmail: http://kb.mozillazine.org/Using_Gmail_with_Thunderbird_and_Mozilla_Suite

Digital Certs are expensive to create and use, and only vital for businesses and not home users.

Read other 1 answers
RELEVANCY SCORE 54

Hello 

After Install Windows 7 and windows 10 on  trusted  root certificate  i get minimal Certificate i need all Certificate 

for example ( verisign, comodo)

i work offline ,  no Wsus Server 

Read other answers
RELEVANCY SCORE 52.8

Hi,
I am trying to install CA root certificate on Windows 7, IE 9.
Encounter error: "Untrusted Certificate".  "This certificate cannot be verified up to a trusted certificate authority."
I have tried to install the certificate to Trusted Root Certificate Authorities->local computer and import was successful. BUT on IE->Internet Options->Certificate->Trusted Root Certificate Authorities, I am unable to find this root CA on
the list.
On mmc->Certificates->Trusted Root Certificate Authorities->certificates, I am able to view this root CA.
I then restarted the IE and view the ssl site again but failed too, "Untrusted Certificate".
Anyone, any idea ?
Regards,
Eye Gee

A:Unable to Install Root CA Certificate - Certificate cannot be verified up to a trusted certificate authority.

May the following workarounds work for you:
Workaround 1:
Modify the Windows settings to allow the Update Root Certificate feature to update the root certificates automatically. For details, see the following Microsoft TechNet article:
Certificate Support and Resulting Internet Communication in Windows Server 2008
http://technet.microsoft.com/en-us/library/cc771121(WS.10).aspx
Workaround 2?
If the Update Root Certificate feature cannot automatically update the root certificates, you may contact the website vender to see if there is a hotfix can fix the issue.

Read other 8 answers