root certificates I think are the problem. how do I fix it?

When navigating to a URL like google and yahoo, when my users need to log in they get the following.

"  There is a problem with this website's security certificate.
 The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
  We recommend that you close this webpage and do not continue to this website.  
  Click here to close this webpage.  
  Continue to this website (not recommended).  
     More information

If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as, try adding the 'www' to the address,
If you choose to ignore this error and continue, do not enter private information into the website.

For more information, see "Certificate Errors" in Internet Explorer Help."

I am assuming it is a root certificate issue on my side since it is from major sites like google and Yahoo. How can I correct this?

Server 2003, XP workstations.
Who is Participating?
Rich WeisslerConnect With a Mentor Professional Troublemaker^h^h^h^h^hshooterCommented:
> I can say that the issuer is showing to be our Proxy.

Okay, this line puts me out of my depths.  I don't think you want to start installing certificates on your local CA -- but you are doing something outside my experience.  I suspect the problem you are experiencing will be an issue which could be encountered by anyone using a similar proxy system.  I understand the security concerns, so will only ask and let you decide whether you can answer -- "What is the proxy product you are using?"  It may help track down what needs to be configured on your system.  (But like I said, once we get into web proxy systems... it's been a decade since I've looked at one.)

But, because the issuer of the certificate for Google/Yahoo are showing to be your proxy server... I strongly suspect that's leading us towards the root of the problem.  (And it may be that you need to configure the machines behind the proxy to trust your proxy's certificate as a trusted root... I'd like to see the proxy vendor say that, and give recommendations on how best to roll that out without security implications.)
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
From one machine, go ahead to the websites, then find the 'lock' in your browser, and look at the certificate issued.  Look to see who issued these certificates... there are two possibilities:

1. Your users are missing a root certificate update.  For example, for IE, and other windows software:

2. There is something more nefarious going on, and its the exact sort of nefarious activity these certificates are in place to warn you about, and messages like this are the warning...
Check the computer date whether it is correct.

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Thank you for the responses. The dates and times are correct. The download of the root certificates did not work either. Whats the next possability? could there be something in Group Policy or could there be  a security setting goofing it up?
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Did you view the certificate(s) that are giving the error?  It may give us a clue as to why you are getting the messages.
Looking into this more I have been trying to figure out the "certutil" command on the DC. First of all I tried

"certutil -viewstore my"
The certificate store is empty.

"certutil -getreg"
-getreg command failed: 0x80070002 ,win32; 2
the system cannot find the file specified.

"certutil -getconfig"
The system cannot find the file specified.

C:\Documents and Settings\DCADMIN>certutil -DCinfo

*** Testing DC[0]: DCNAME
** Enterprise Root Certificates for DC DCNAME
No certs in Ent Root store!
** KDC Certificates for DC DCNAME
0 KDC certs for DCNAME
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.


This is all new waters for me when it comes to this issue so I maybe totally looking in the wrong direction when trouble shooting this. but I thought the extra info maybe useful.

Try erasing the contents of windows\system32\catroot2
Do a backup of this folder before deleting.
Make sure you are inside "catroot2" not "catroot".
Then reinstall the root certificates updates.

Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
If I understand correctly... when you go to https:\\ you are getting a certificate error... and asking if you want to continue to the web page... go ahead and let it take you to the page.

Click on the name of the page to the left of the address.  (See graphic... in the red oval.)  Tell it to give you more details.
Which will be the second graphic attached.  We want to look at the certificate, and see what step up the chain is failing.  That should even tell you which root certificate might not be working for you.
Thanks again for the responses. I should have mentioned that it is Internet explorer. Either way I see what your getting at in the IE equivalent. On the Certificate details the only thing that stands out maybe the Issuer.

Due to security concerns I am not able quote the excact certificate. but I can say that the issuer is showing to be  our Proxy. (we run this part of the network on a VPN.)

example is
Issuer  (  

This certificate says it is valid on the certificate details. When I try to install it via Internet explorer it is saying the install was succesful however it clearly is not working.

In IE when I select the  "certificate error" box next to the URL box I do see a "Untrusted Certificate error". This is the same box the "View certificate" option is found, and "About certificate errors" is a option to select. In "About certificate errors" it says the following.

This website's security certificate is not from a trusted source.

This error occurs when the certificate has been issued by a certification authority that is not recognized by Internet Explorer. It is unlikely that this error will occur on a legitimate business or banking site. Phishing sites often attempt to use fake certificates that will trigger this error.

as Disturbing as that sounds I am not sure my issue is that drastic I think it is a misconfiguration on the Domain Controller. Do I need to add the "Issuer" in somewhare either locally or on the Domain side? How do I find out if this is Kosher or not?
K so I have imported (or attempted to) the certificate onto the DC. using

I am still recieving the same issue.

On the DC. in MMC Certificates (Local Computer)\Certificate Enrollment requests. the certificate in question under "Certificate Path/ Caertificate Status" states "The Issuer of this certificate could not be found."

This might be the issue as well. When attempting to open certificate Authority on the DC I recieve a error  also.

"Cannot manage Certificate services. The specified service does not exist as an installed service. 0x424 (WIN32; 1060)"

Before I get ahead of my self... could this be the issue?
Partially correct , the solution was there however it only steers me in the right direction to the solution of , Getting the certificate from the Issuer.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.