Over 1 million tech questions and answers.

External websites end entity certificate signed by internal root Certificate Authority Certificate - Incorrectly

Q: External websites end entity certificate signed by internal root Certificate Authority Certificate - Incorrectly

Hello,

I am trying to resolve an issue where multiple client computers in the organisation are using an internally deployed Root CA certificate (before my time and no longer required) to sign the end entity certificate for external websites, google.co.uk
for example. All SSL sites appeared to be affected by this.




However this is not the case as sub domains of sites with issues show the correct cert chain, the below is for mail.google.com




Removing or untrusting this root ca cert breaks access to these sites.

I have reset root certs in various ways, removed machines from the domain, applied no GPOs, manually updated CRL and pulled down updated certs with rootsupd.exe.
It always attempts to use this rouge CA cert to sign the websites cert.

Any assistance would be much appreciated.

Read other answers
RELEVANCY SCORE 200
Preferred Solution: External websites end entity certificate signed by internal root Certificate Authority Certificate - Incorrectly

I recommend downloading and running Reimage. It's a computer repair tool that has been proven to identify and fix many Windows problems with a high level of success.

I've used it in the past to identify and fix everything from blue screens (BSOD's), ActiveX errors, corrupt files and processes, dll/exe/sys errors, recover lost memory, Windows update problems, defragging, malware removal etc.

You can download it direct from this link http://downloadreimage.com/download.php. (This link will automatically start a download of Reimage that you can save to your computer.)

RELEVANCY SCORE 212.8

Hi,
I am trying to install CA root certificate on Windows 7, IE 9.
Encounter error: "Untrusted Certificate".  "This certificate cannot be verified up to a trusted certificate authority."
I have tried to install the certificate to Trusted Root Certificate Authorities->local computer and import was successful. BUT on IE->Internet Options->Certificate->Trusted Root Certificate Authorities, I am unable to find this root CA on
the list.
On mmc->Certificates->Trusted Root Certificate Authorities->certificates, I am able to view this root CA.
I then restarted the IE and view the ssl site again but failed too, "Untrusted Certificate".
Anyone, any idea ?
Regards,
Eye Gee

A:Unable to Install Root CA Certificate - Certificate cannot be verified up to a trusted certificate authority.

May the following workarounds work for you:
Workaround 1:
Modify the Windows settings to allow the Update Root Certificate feature to update the root certificates automatically. For details, see the following Microsoft TechNet article:
Certificate Support and Resulting Internet Communication in Windows Server 2008
http://technet.microsoft.com/en-us/library/cc771121(WS.10).aspx
Workaround 2?
If the Update Root Certificate feature cannot automatically update the root certificates, you may contact the website vender to see if there is a hotfix can fix the issue.

Read other 8 answers
RELEVANCY SCORE 163.6

I have Windows 7 client and Cisco router is configured as Certificate Authority. Cisco calls it IOS CA. How can I do certificate enrollment of Windows 7 client with my Cisco IOS Certificate Authority?

Read other answers
RELEVANCY SCORE 161.6

(I'm cross posting this from
https://answers.microsoft.com/en-us/ie/forum/ie11-windows_7/a-certificate-chain-processed-but-terminated-in-a/e6895c7e-c6b9-4a96-a5f5-a4dcd40b7b45 as directed by the forum moderator there.)
Hello,

First, I have reviewed the other posts with similar questions and noted that I can install the certificate into root certificates and most likely this problem will go away, some specifics:

1) When a client reported this error using a pop.secureserver.net on an outlook 2003 client, I just figured it was godaddy or the REALLY old Outlook client, but nonetheless, I went in to troubleshoot it and was convinced it was godaddy, but when I tried
to start my Outlook 2016 client on my Windows 10 computer on their network, I got the same error.  Two notes are important: 1) I use godaddy as well and 2) I used the same computer at a different client just yesterday without a single error message.
2) They use POP 995 w/ SSL & SMTP 465 w/ SSL to pop.secureserver.net & smtpout.secureserver.net repsectively
3) I called the company that manages their firewall and was told that everything was fine, but was sent a certificate from the firewall that might fix the problem.
4) The firewall company tells me they use a fortinet firewall

I have some questions that I'm hoping one of the experts here can answer for me:

- What in a firewall setup can cause a certificate to fail as listed in the subject?
- Is there a port or configuration change they... Read more

Read other answers
RELEVANCY SCORE 161.6

Is there a rvkroots.exe available for download for the mentioned KB so that I can remediate a Nessus finding?
We are on a disconnected network so windows update is disabled in our network.
In the past we are able to just download rvkroots.exe and push it out to all our Win7 computers.

Read other answers
RELEVANCY SCORE 161.6

I have some Windows 7 systems which have not run Windows Updates for many years, and cannot due to regulatory reasons.   We rely upon Windows to automatically update the Trusted Root Certificate store whenever we browse to a web site/web service
that uses a certificate the system doesn't recognize. 
Sometime recently, the Trusted Root Certificate Store no longer updates automatically.  The Windows Event Log shows an error stating that the certificates cannot be downloaded from:
http : // ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
If we browse to this location manually, the cab file contains an invalid Microsoft certificate. 

This was also an issue in Sept 2018.  At that time, the certificate had expired, and Microsoft eventually updated the certificate to resolve the issue.   This time, the certificate does not appear to have expired.  Why is the certificate
invalid this time, and can Microsoft fix it again?

Thanks

Read other answers
RELEVANCY SCORE 156

seems that "Microsoft Certificate Trust List Publisher" Certificate Valid:01.27.2017-04.12.2018 is missing following EKU
'Microsoft Trust List Signing' (1.3.6.1.4.1.311.10.3.1) ?!
-ExtendedKeyUsage
     -Usage
          [ oid] 1.3.6.1.4.1.311.10.3.1
          [ name] Microsoft Trust List Signing
-ErrorStatus
     [ value] 10
     [ CERT_TRUST_IS_NOT_VALID_FOR_USAGE] true
Note: KB2328240 is imho not permanently fixing this problem ! (*curing only some derivated symptoms)

Read other answers
RELEVANCY SCORE 144.4

I apologize if this isn't the right forum, but I did not see one that is specifically for Microsoft Edge.

We have an internal Flash application at work that utilizes a self-signed certificate for HTTPS. When attempting to load the page hosting the application, only the background will load. Other than the initial warning regarding the self-signed certificate,
there are no errors logged in the browser or the application's backend. The page would load successfully prior to the Windows 10 Anniversary Update.

One workaround to get the application to load is to install the self-signed certificate in Internet Explorer. After that, it works fine. My question is: does the version of Microsoft Edge that comes with the Anniversary Update have a new security
feature that prevents it from loading Flash content when a self-signed certificate is involved? If not, does anyone have any ideas as to why the content will not load unless the certificate is installed?

Edge version 
Microsoft Edge 38.14393.0.0
Microsoft EdgeHTML 14.14393

Flash version
23.0.0.185

Read other answers
RELEVANCY SCORE 135.6

so whats up with this error message ??
Revocation information for the security certificate for this site is not available. Do you want to proceed? [Yes] [No] [View certificate]


i know it can be unchecked in security option under advanced. but is that really safe to do ???

Thx


Steven J Einhorn

Read other answers
RELEVANCY SCORE 133.6

In Internet Explorer, when I get a certificate error, if I continue to the web site, I can then view the certificate to see what was wrong.  However, obviously it would be preferable* to see the certificate
before I make the decision to go to the site.  Is this possible?  I'm sure I could use another browser that does this, or maybe use the F12 developer tools, or write a program.   But I'm looking
for a normal-user way to do it.  I think it used to be possible in Internet Explorer, but this might have been 6.x or even earlier.  Or even
way earlier.  Yep.  I'm that old.  I believe this feature is not in Edge either...unless I'm just missing it.  But I'm using ie11 right now.
*understatement level is set to "high".

Read other answers
RELEVANCY SCORE 133.6

Can someone walk me through the steps of having Advanced Threat Analytics (ATA) request a new certificate from Active Directory Certificate Services (ADCS)?  I'm not familiar with either product so I will need detailed steps please.  At a high-level
i'm guessing
1. ATA issues a certificate request
2. I send the request to ADCS
3. ADCS issues a cert for that request
4. Install new cert in ATA
I'll need detailed command line statements.  My ATA Center server is named ATASERVER.DOMAIN.ORG, and I but the URL is configured as ATACENTER.DOMAIN.ORG in ATA.  Can the cert handle both the servername and the URL?
Thank you in advance!

Read other answers
RELEVANCY SCORE 133.6

Hi,

Really confusing one here. Since this weekend (16/17 July) we have started getting Certificate errors on some sites and applications. This seems to be due to the structure of the URL compared to the "advertised" name IIS is presenting. I'll try
to explain.
I have a site, Website. This is in my domain, domain.com. Therefore the FQDN is website.domain.com. IIS is running and I can access this site through FQDN,NetBIOS or IP address. Good news.
I create a certificate for the server using the FQDN as the subject, I add the Netbios and IP addresses in the Subject Alternate Names and Bind this to port 443 on the server.
I browse to https://website and all is good. I browse to https://website.domain.com I get a certificate error. Checking the certificate, everything is fine, no errors, chain is trusted. open Chrome and do the same, I get that the certificate website.domain.com
is being presented by Website and may not be the site I want.
Using either URL has never been a problem until this weekend, but it seems that IE/Windows/IIS is not liking any URL that is not EXACTLY what IIS is presenting. so my questions are:-
Is anyone else finding this?
Can we issue a certificate that covers all possible DNS resolutions for a site?
How do I control WHAT IIS advertises itself as?
SO far this has affected two major systems on our network and I can see that more will arise, so any help would be appreciated.

Read other answers
RELEVANCY SCORE 133.6

Hiya

This update addresses the "Certificate Renewal Wizard Concatenates Certificate" issue in Internet Information Services (IIS) 5.0, and is discussed in Microsoft Knowledge Base (KB) Article Q325827. Download now to correct this issue for IIS 5.0

System Requirements
Supported Operating Systems: Windows 2000

Internet Information Services 5.0
Windows 2000 Professional
Windows 2000 Server
Windows 2000 Advanced Server

http://www.microsoft.com/downloads/...43-c72f-4652-b912-065ee2a83c02&DisplayLang=en

Regards

eddie
 

Read other answers
RELEVANCY SCORE 131.2

Hi,
Having some fun with a windows 7 setup of DirectAccess, have it configured to use ECC certificates on the client for the IPSec authentication, which was working brilliantly, we even have it loaded up behind a Citrix Netscaler to do SSL offloading of the
HTTPS tunnel encryption. But when trying to get Client Preauthentication working, we hit a snag, it seems that the NetScalers dont support ECC certificates, which is a pain, but something we thought we could work around by using an RSA certificate on the client
to performed the pre-authentication (as shown here https://directaccess.richardhicks.com/2016/05/10/directaccess-ip-https-preauthentication-using-citrix-netscaler/).
So we have three CA's, CA1/2 issue RSA certs and CA3 is setup to do the ECC ones, so nice separation of the chains.
So we have our Cert chain for RSA loaded into the load balancer and a new cert issued to the client from CA1... But, every time the client connects to the server (LB) we see the handshake taking place, the server sends a list of its DNs (CA1/2) (https://blogs.msdn.microsoft.com/kaushal/2015/05/27/client-certificate-authentication/)
to the client, but then the client looks in its store, picks out the ECC certificate (issued from CA3) and fails to authenticate saying no suitable certificate can be found, its like its not even looking at the RSA one at all.
So, thinking something was wrong with the way the LB was asking for client authentication, I tried deleting the ECC cert a... Read more

Read other answers
RELEVANCY SCORE 131.2

Good Day



We have a problem where we encrypted files using EFS, however we can't access or decrypt these files now.

We have the certificate in the certmgr.msc but we do see that the key is missing.



I have reproduced this on another computer and was able to run certutil -repairstore -user MY "Serial Number" which worked in repairing the store and files was decryptable again.

However on the machine that encrypted the files that we need to access this is not the case as there is a popup asking for your Smart Card.

We are not using Smart Cards at all, and have had a look at the following article regarding this issue, but the hotfix didn't work: https://support.microsoft.com/en-us/kb/2955631




I have software that can remove the encryption but will require the .pfx file, which can't be exported as the certstore doesn't show that it still has this.



It is a self signed certificate generated by Windows, so I can't request a new one using the CA.


Thanks for your help in advance.

Read other answers
RELEVANCY SCORE 126.8

Hi all !

Could somebody please help me out and explain following 4 questions

-> What are the main difference between a a self-sign certification implementation and a PKI?
-> What is the difference in the trust model between X500 certificates and openPGP keys?
-> What is the main difference between file encryption and rights management
-> What are the steps followed within an RM Solution, when a file is protected and authorized user attempts access?

Would be really nice to have a short explanation, not like the one I have myself of a full A4 page

Thanks to all in advance
 

A:Certificate authority questions

Sorry but we don't do homework so for that reason, together with the fact that you've posted this on at least two other sites, I'm closing this thread.
 

Read other 1 answers
RELEVANCY SCORE 126.4

I have a WHM/cPanel server using a self-signed certificate - every time I visit it in Chrome (46 on Windows 10) I get the standard NET::ERR_CERT_AUTHORITY_INVALID error. I know I can click advance and proceed but it seems to keep asking me to do this on every other page load, making it impossible to do anything.

I have followed several different guides for allowing a self-signed certificate to Chrome but nothing has worked so far.

I have tried adding the certificate to the trusted root certification authorities list on Chrome and within MMC on Windows itself but it still isn't allowing it.

Any help is much appreciated.

Thanks.

Read other answers
RELEVANCY SCORE 126.4

We have 4 domain controllers which acts as an ATA lightweight gateway.
All 4 domain controllers have installed a certificate from our trust CA with the following CNs:
Common Name : Computername(FQDN)
Our ATA Center has a certificate
Common Name: ATA Center URL (ata.<domainFQDN>)
Both certificates have the following specs:
EKU:
Client authentication
Server authentication
Key Type: Exchange
Key Length: 2048
CSP: Microsoft RSA SChannel Cryptographic Provider (Encryption)
We could use both certificates for ata gateway<-->ata center connection but after the upgrade to ATA 1.8.1 it creates a self signed certificate and using that certificate instead of the one from our CA.
I have changed the thumbprint in the gateway json file, but after restarting the gateway services it changes back to the self signed thumbprint.
How can I use my CA certificate instead of the self signed certificate?

Read other answers
RELEVANCY SCORE 126.4

I have a problem with install multiple digital certificate (PKF format) to allow access to one website with different account ID.

Every time I installed the certificate, it is working and allow me access to the website with relevance ID. However, the installed certificate will be missing if I continue to install with another certificate. The way I install the certificate is just double click on the PKF certificate that provided by the website admin, then kept click on the next button until its finish the installation steps. All the certificates will install to "Personal" certificate store folder, but the problem is only one certificate will remain.

I ever try to import all the certificate with using windows certificate manager, is allow me to import all the certificates and able to let me access to the website with select different certificate to login with selected account ID. Anyway this method is only workable if the Internet Explorer is not close after install all the certificates, once the Internet Explorer is close, then all the certificates were gone.

The motioned problem PC is running on Windows XP SP3 with latest update. And the using internet explorer is version 8 with latest update as well.

I had try to reset the Internet Explorer to default, but is not working so, appreciate is anyone can guide me to solve this problem

A:PKF certificate missing after new certificate was installed

Under "Content" in Internet Options, are all your certificates there? Mine are. Either your Admin. or the issuer should have your answer. Some PKFs are not compatible with all OSs or Browsers. Try downloading certificates to Firefox or Chrome and see if that works.

Read other 2 answers
RELEVANCY SCORE 126.4

I based my actions amongst others on this source:https://www.adlerweb.info/blog/tag/procurve I am using openssl to create my own CA for my company's switches etc.  and i am having trouble with a number of recent procure switches. I created a root CA (2048 bits rsa, sha1 so as not to make things too difficult)I created a custom TA called "netwerk", uploaded the CA root certificate, so far so good Created a CSR:crypto pki create-csr certificate-name sw1113  ta-profile netwerk usage web subject common-name sw1113 key-size 2048 the rest of the info and extensions like CDP alternative names etc. is being pushed while signing in openssl via an extensions file resulting CSR processed with openssl (keeping it a simple 2048/sha1 leafcertificate) Signed this CSR with the afore mentioned and uploaded root certificate: Resulting PEM pasted to install the generated leaf certificate sw1113(config)# crypto pki install-signed-certificatePaste the certificate here and enter:-----BEGIN CERTIFICATE-----MIIEGjCCAwKgAwIBAgIBATANBgkqhkiG9w0BAQUFADCBlzELMAkGA1UEBhMCTkwx.....ASCspazUcVeCueTvvVLr4UPObJB1/IBHKHCwkN7nuaTHuiDD8tQzOlWaxry4MsEFGXojuFv1YtFAtlgLlwxvqndi2NysNyqcnZR1o4l0qe4eSrIlUrCyrvyieK5rdQ==-----END CERTIFICATE-----Certificate being installed is not signed by the TA certificate. So, what is going on? The leaf cert is definitely signed by the root cert that was uploaded as TA cert.    Would really appreciat... Read more

Read other answers
RELEVANCY SCORE 125.2

Using an Synology NAS with DNS server local domain example.ns
Creating an self-signed certificate example.ns and export this certifcate
Open MCC and import - Trusted Root Certification Authorities - Certifates - example.ns - was succesfull.
In the Old MS Edge version my self-signed certificate was trusthed

MS Edge Version 81.0.416.64 Start my domain example.ns
Edge answer - Your connection to this site is not secure
I cannot find an solution for my problem

QST How to accept / trusthed my self-signed certificate again?

Can somebody help me out?
Thx Robert (PL)

Read other answers
RELEVANCY SCORE 124.4

Option "Find Certificate" is missed when I try to edit certificate on another computer using mmc.Could you please let me know how can I solve that? I'm sure I'm admin on the remote machine.

Read other answers
RELEVANCY SCORE 124

CNNIC, a certificate authority for the Chinese Government, issued a trusted subordinate (intermediary) certificate to MCS Holdings. This allowed MCS Holding to issue and use a SSL/TLS certificate for any website, but it was expected it would only be used on websites they owned. Instead, it was used internally (and stored in plaintext) to perform a man in the middle attack against all traffic within their company. 
 

 
On Friday, March 20th, we became aware of unauthorized digital certificates for several Google domains. The certificates were issued by an intermediate certificate authority apparently held by a company called MCS Holdings. This intermediate certificate was issued by CNNIC. 
CNNIC is included in all major root stores and so the misissued certificates would be trusted by almost all browsers and operating systems. Chrome on Windows, OS X, and Linux, ChromeOS, and Firefox 33 and greater would have rejected these certificates because of public-key pinning, although misissued certificates for other sites likely exist.
We promptly alerted CNNIC and other major browsers about the incident, and we blocked the MCS Holdings certificate in Chrome with a CRLSet push. CNNIC responded on the 22nd to explain that they had contracted with MCS Holdings on the basis that MCS would only issue certificates for domains that they had registered. However, rather than keep the private key in a suitable HSM, MCS installed it in a man-in... Read more

Read other answers
RELEVANCY SCORE 123.6

Hi,I have a Toshiba laptop running XP. When I click on the Mail icon from aol.com homepage, the log-in screen displays and I get a security certificate error with IE8. "Content was blocked because it was not signed by a valid security certificate."I get this message when doing the same thing using Chrome:This webpage is not available[u]The webpage at https://at.atwola.com/adiframe/3.0/5113.1/221794/0/-1/size=1300x800;noperf=1;alias=93312388;kvpagetype=0;kveditags=0;kvmood=0;kvpatcheditags=0;kvag=0;kvinc=0;kvmar=0;kvch=0;kvseg=0;kvugc=0;kvui=fba8dab406a011e29d8041de23c66351;kvmn=93312388;extmirroring=0;target=_blank;aduho=-240;grp=530777328 might be temporarily down or it may have moved permanently to a new web address.Error 501 (net::ERR_INSECURE_RESPONSE): Unknown error.This is the only website that I have this problem.I have no problem doing this from my desktop on the same LAN.I am afraid something has hijacked my computer.Can you help?Thanks.

A:Content was blocked because it was not signed by a valid security certificate.

Hello and welcome to Bleeping Computer! I am HelpBot: an automated program designed to help the Bleeping Computer Staff better assist you! This message contains very important information, so please read through all of it before doing anything. We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here. To help Bleeping Computer better assist you please perform the following steps:*************************************************** In order to continue receiving help at BleepingComputer.com, YOU MUST tell me if you still need help or if your issue has already been resolved on your own or through another resource! To tell me this, please click on the following link and follow the instructions there.CLICK THIS LINK >>> http://www.bleepingcomputer.com/logreply/469750 <<< CLICK THIS LINK If you no longer need help, then all you needed to do was the previous instructions of telling me so. You can skip the rest of this post. If you do need help please continue with Step 2 below.*************************************************** If you still need help, I would like you to post a Reply to this topic (click the "Add Reply" button in the lo... Read more

Read other 17 answers
RELEVANCY SCORE 123.6

I have known that,the information sent to Microsoft when a user installs a program includes IP address, a hash of the installer and digital signature, and possibly the filename of the application.



from: http://stackoverflow.com/questions/12311203/how-to-pass-the-smart-screen-on-win8-when-install-a-signed-application



The question is that, does Microsoft collect any other information that I dose not mentioned?

Read other answers
RELEVANCY SCORE 123.6

I would like to replace working certificate for the localhost (127.0.0.1), with an end date in a few months. (Win10 - Edge - IE11)
I managed to create a certificate (made a copy form the previous one with Powershell), and imported it in the list of Trusted Root Certificates. I removed the previous certificate.

But Edge (and IE11 since I suppose Edge has no support for this yet) is still pointing to the old certificate.
Does anyone know how to make the browsers point to the new certificate?

Read other answers
RELEVANCY SCORE 123.6

I have known that,the information sent to Microsoft when a user installs a program includes IP address, a hash of the installer and digital signature, and possibly the filename of the application.
from:
http://stackoverflow.com/questions/12311203/how-to-pass-the-smart-screen-on-win8-when-install-a-signed-application
The question is that, does Microsoft collect any other information that I dose not mentioned?

Read other answers
RELEVANCY SCORE 123.2

We are experiencing this problem with a few workstations and laptops and what we are currently doing is exporting the CA certificate from a workstation that has it in its store and importing it. The problem with this is that the certificate will eventually
expire and we will have to re import a new one again. I don't believe it is a group policy issue because other computers in the same OU are not missing the certificate.

Cany anyone shed light on how to troubleshoot this or how to force (if possible) the workstation to download the CA certificate?

Thank you in advance.
Jose

Read other answers
RELEVANCY SCORE 123.2

Hello,
I've a very nasty issue with root CA certificate that's disappearing from the trusted root authorities store. I'll shortly describe the environment: 
- Two tier PKI infrastructure with a offline, standalone root CA and a domain joined Enterprise issuing CA (both W2012R2); root CA certificate is published in AD
- There's a parent and child domain. Issuing CA lives in parent domain (2012R2 domain&forest level)
- Employees are working on a 2012R2 RDS&Citrix XenApp 76 server in the child domain
- In the parent domain several servers are using a SSL certificate signed by the company owned issuing CA; it's a SAN certificate
- The root CA's certificate is in the Trusted Root Certification Authorities store of all member servers in parent & child domain (so, that's also valid for the 2012R2 RDS servers)
The issue is that the certificate of the root CA that's in the trusted CA store of all RDS servers is being deleted on a regular base (at least once a day on each RDS-server). I enabled CAPI2 logging, but I couldn't find anything that makes sense. However
I'm able to reproduce this issue in very simple way: if I start IE11 on a RDS-server and browse to the IP-adres or NETBIOS-name of a webserver that host a site that's using a certificate from our PKI (so, it's clear that the URL isn't matching the names entered
in the SAN certificate) and I click on 'Continue to this website (not recommended)', the root CA's certificate is being removed from trusted... Read more

Read other answers
RELEVANCY SCORE 122.4

Researcher Exposes Flaws in Certificate Authority Web Applications.

SSL certificate validation process easy "to game," he says

-- Tom
 

Read other answers
RELEVANCY SCORE 122.4

Hello!

I have enterprise Certificate authority working at Windows Server 2008r2. All today available updates from Microsoft are installed on the server. 

Through the web interface in the browser IE11 is impossible to request user certificate - when you press "submit" button for certificate request, nothing happens.

At another PC with IE9 all works fine - i can submit request and recive certificate from CA

I installed all available updates for Windows and IE11, but its not resolve problem. I tryed to add CA to Trusted Sites, to set IE11 security settings to minimal level - it not helps 

I found article which describes this problem https://support.microsoft.com/en-us/kb/2988411 , but I have all necessary updates are installed on IE11, including those referred to in article.

How to solve this problem? Use console to request the certificate does not offer, i must be able to request it via the web interface

Read other answers
RELEVANCY SCORE 122.4

Looking for the ability to block websites with invalid certificates. There is a GPO setting that by default is enabled to not allow the ability to bypass a certificate error for revoked certificates. However, this does not work with Expired Certs, Server
Name mismatches, etc...
Wondering if there is a setting that we can set (via Registry, File, or GPO) to add this additional behavior?

Read other answers
RELEVANCY SCORE 122.4

Something keeps redircting Google Chrome. I keep getting this message.

The site's security certificate is signed using a weak signature algorithm!

A:The site's security certificate is signed using a weak signature algorithm!

I am not positive, but this could be because of malware.
My recommendation would be to wait for an experienced person to answer your question.

But in the meantime, download Malwarebytes and scan using the Quick scan.

DO NOT REMOVE ANYTHING

Post back the log when you are done, please.

Read other 5 answers
RELEVANCY SCORE 122.4

Hi all i keep getting The site's security certificate is signed using a weak signature algorithm!,when i try to sign into gmail with google chrome i did a scan with Malwarebytes Anti-Malware and here is my log any info would be great,thanks all

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.18.03

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 9.0.8112.16421
Seamus :: SEAMUS-PC [administrator]

Protection: Enabled

18/06/2012 15:05:38
mbam-log-2012-06-18 (15-05-38).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 211206
Time elapsed: 1 minute(s), 28 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Read other answers
RELEVANCY SCORE 122.4

Malwarebytes Anti-Malware (PRO) 1.61.0.1400
www.malwarebytes.org

Database version: v2012.06.21.03

Windows 7 x86 NTFS
Internet Explorer 8.0.7600.16385
user :: USER-PC [administrator]

Protection: Enabled

6/21/2012 8:44:13 PM
mbam-log-2012-06-21 (21-48-11).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 233686
Time elapsed: 10 minute(s), 53 second(s)

Memory Processes Detected: 2
C:\Windows\KMService.exe (RiskWare.Tool.CK) -> 1976 -> No action taken.
C:\Program Files\MyWebSearch\bar\3.bin\MWSOEMON.EXE (PUP.MyWebSearch) -> 2228 -> No action taken.

Memory Modules Detected: 1
C:\Program Files\MyWebSearch\bar\3.bin\MWSOESTB.DLL (PUP.MyWebSearch) -> No action taken.

Registry Keys Detected: 155
HKLM\SYSTEM\CurrentControlSet\Services\MyWebSearchService (PUP.MyWebSearch) -> No action taken.
HKCR\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D} (PUP.MyWebSearch) -> No action taken.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> No action taken.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{00A6FAF1-072E-44CF-8957-5838F569A31D} (PUP.MyWebSearch) -> No action ta... Read more

A:The site's security certificate is signed using a weak signature algorithm!

Welcome aboard Your MBAM log says "No action taken".Re-run MBAM, fix all issues and post new log.

Read other 1 answers
RELEVANCY SCORE 121.6

Hi I am Junaid Yousaf from Pakistan, I am having trouble to update the Root Certificate to access a few online activities and to add I am unable to access Microsoft's Websites especially where I could download stuff, it says "Server not found" something which would only pop if my internet connection was dead which isn't the case.

Really glad for your help as followed I have taken the instructions I was pointed to on the forum.

DDS Log....

DDS (Ver_10-10-21.02) - NTFSx86
Run by Psio at 5:04:53.46 on Fri 10/22/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1341 [GMT 5:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings... Read more

A:Root Certificate and Microsoft

Another thing I'd like to mention there is something wrong with my PC, I get the ASK.com search engines for no reason, even after attempting a correctly typed email address this search engine shows up, looking forward and apologies for double post I really hope I could find the edit button.

-Regards.

Read other 5 answers
RELEVANCY SCORE 121.6

Hi all,

I have just been bought some Bluetooth headphones that didn't come with
a Bluetooth receiver so I bought one from Amazon that uses CSR Harmony Stack Software.
I noticed it installed a lot of crap and decided to research it.

I found this post -

https://community.letsencrypt.org/t...s-weak-root-certificate-into-trust-store/1940

If the above is still true what risk is it to me?
Can I lessen the risk at all?
If not then would this constitute grounds for a refund?

Thanks in advance,

Rob
 

Read other answers
RELEVANCY SCORE 121.6

WinXP just notified me of a "Root Certificate Update"
What exactly is this and is it something I should go ahead and install?
 

A:Root Certificate Update

Yes, it's the updated security certificates for some sites and services.
 

Read other 3 answers
RELEVANCY SCORE 121.6

Hi there.
I have a laptop running XP Home. IE7 would not install ... and along with it, somethig called Root Certificate Update.
I did some Googling, and the places I found wanted me to find GPEDIT and GPMS.msc (spelling on that one could be wrong) but the computer said these did not exist.

I even successfully installed SP3. All other areas seem to be working fine. It just wil not install that root thing an IE7.

Please adivse.

Thank you.
Don in Tucson
AizA
 

A:IE6 and root certificate update

Have you tried installing the root certificate update separately from IE7? If you run a manual Windows Update and use the "Custom" update option, you can uncheck IE7 and leave the root certificate update selected. Then, install that update and see what happens.

Peace...
 

Read other 2 answers
RELEVANCY SCORE 121.6

Hi I am Junaid Yousaf from Pakistan, I am having trouble to update the Root Certificate to access a few online activities and to add I am unable to access Microsoft's Websites especially where I could download stuff, it says "Server not found" something which would only pop if my internet connection was dead which isn't the case.

Really glad for your help as followed I have taken the instructions I was pointed to on the forum.

DDS Log....

DDS (Ver_10-10-21.02) - NTFSx86
Run by Psio at 5:04:53.46 on Fri 10/22/2010
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_22
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2045.1341 [GMT 5:00]


============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\VMSnap3.EXE
C:\WINDOWS\Domino.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings... Read more

A:Root Certificate and Microsoft

Hello.

Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

---------------------------------------------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Stay with me until given the 'all clear' even if symptoms diminish. Lack of symptoms does not always mean the job is complete.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by me or another helper at this forum.

---------------------------------------------------------------------------------------------

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Place combofix.exe on your Desktop
Disable your AntiVirus and AntiSpyware applications, usually via a right... Read more

Read other 19 answers
RELEVANCY SCORE 121.6

We are configuring NSS domain.
I was able to import 2 ENTRUST certificates to NSS DB.
Root certificate failed to import
This is a command that I run

%NSS_HOME%\bin\certutil -A -n "entrustRoot" -t "T,C,C" -i C:\AppServer\certificaterequests\cacert.crt -d %AS_HOME%\domains\nssdomain\config

Then I run this command

%NSS_HOME%\bin\certutil -L -n entrustRoot -d %AS_HOME%\domains\nssdomain\config

Received this message

certutil: could not find : EntrustRoot.
:security libary: bad database


Please help

Thank you in advance

Read other answers
RELEVANCY SCORE 121.6

received email (windows Live, Sony Vaio,windows 7, IE vs 8 32 bit)
root
GTE Cyber...
Akamai...
*.createsend...

Security alert re certificate
Downloaded certificate
Cannot open email
cannot delete email
cannot get rid of security alert
tried reboot/restore and a million other things
click on email freezes email program
HELP me get rid of the email!
Tx
 

Read other answers
RELEVANCY SCORE 121.6

Hi Malwaretips Team,
could someone please help confirm whether the 2 certificates in the screenshot are normal, ie do you have them to
C:\SysinternalsSuite(1)>sigcheck -tv

Sigcheck v2.53 - File version and signature viewer
Copyright (C) 2004-2016 Mark Russinovich
Sysinternals - www.sysinternals.com





Listing valid certificates not rooted to the Microsoft Certificate Trust List:

Machine\FlightRoot:
Microsoft Development Root Certificate Authority 2014
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Development Root Certificate Authority 2014
Serial Number: 07 8F 0A 9D 03 DF 11 9E 43 4E 4F EC 1B F0 23 5A
Thumbprint: F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB
Algorithm: sha256RSA
Valid from: 4:43 AM 29/05/2014
Valid to: 4:51 AM 29/05/2039
Machine\ROOT:
Microsoft Development Root Certificate Authority 2014
Cert Status: Valid
Valid Usage: All
Cert Issuer: Microsoft Development Root Certificate Authority 2014
Serial Number: 07 8F 0A 9D 03 DF 11 9E 43 4E 4F EC 1B F0 23 5A
Thumbprint: F8DB7E1C16F1FFD4AAAD4AAD8DFF0F2445184AEB
Algorithm: sha256RSA
Valid from: 4:43 AM 29/05/2014
Valid to: 4:51 AM 29/05/2039

Thank you for your time to help
My machine is scanned very regularly with Emsisoft Malwarebytes Avira and Windows Defender
and exhibits no weird behavior.
 

A:Root Certificate Confrmation

Would make sense if you're running Windows 10. Apparently, it was a bug in an earlier build with Edge.

Xiaoyin Liu on Twitter
 

Read other 1 answers
RELEVANCY SCORE 121.6

Hello,
Is there a Root Certificate Guru in the house?

Here is my problem.

First I should say I reinstalled Windows XP onto C drive and had my data located on D drive this helps for saving when I get hit with virus's or whatever else. After re-installing on C I try to access the files that I think I encrypted on D I can see them but I cannot copy or use them as I don't have permission to.? If I select the file then advanced properties I see the old me as the owner of the file.

I have tried to apply my root certificate to the files but when I try to add my certificate it will not allow me to?

Any help would be appreciatted. Thanks for reading
 

A:Root Certificate problems???

Read other 7 answers
RELEVANCY SCORE 120.4

My client (still on XP-SP3) cannot connect to any secure sites that rely on the Go Daddy root certificate, saying the certificate is corrupt or altered.
I went to the Go Daddy site and downloaded the .crt file and attempted to import it into the secure store but while the Cert Manager reported success, nothing changed that I can tell. The cert is still considered corrupt and the user cannot access certain websites, such as dropbox.com and others.
I have been working in IT for years but have no experience with this particular type of problem   Any help would be greatly appreciated.

A:Go Daddy Root Certificate is corrupt

See http://help.smugmug.com/customer/portal/articles/84385-how-do-i-install-the-godaddy-root-certificate-in-windows- .
 
Louis

Read other 3 answers
RELEVANCY SCORE 120.4

My friend (still on XP-SP3) cannot connect to any secure sites that rely on the Go Daddy root certificate, saying the certificate is corrupt or altered.
I went to the Go Daddy site and downloaded the .crt file and attempted to import it into the secure store but while the Cert Manager reported success, nothing changed that I can tell. The cert is still considered corrupt and the user cannot access certain websites, such as dropbox.com and others.
I have been working in IT for years but have no experience with this particular type of problem Any help would be greatly appreciated.
 

A:Go Daddy Root Certificate is corrupt

One thing I alway check when there are any cert problems is the time and date of the machine. Although I never encountered a corruption problem. A bad date on the machine will render a certificate invalid.
 

Read other 2 answers