[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1347
  • Last Modified:

root certificates I think are the problem. how do I fix it?

When navigating to a URL like google and yahoo, when my users need to log in they get the following.

-------------------------------------------------------------------------------------------------------------------------------------
"  There is a problem with this website's security certificate.
 
   
 The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
  We recommend that you close this webpage and do not continue to this website.  
  Click here to close this webpage.  
  Continue to this website (not recommended).  
     More information


If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.
If you choose to ignore this error and continue, do not enter private information into the website.

For more information, see "Certificate Errors" in Internet Explorer Help."
---------------------------------------------------------------------------------------------------------------------------------------

I am assuming it is a root certificate issue on my side since it is from major sites like google and Yahoo. How can I correct this?

Server 2003, XP workstations.
0
BLEEPINGNETWORK
Asked:
BLEEPINGNETWORK
  • 7
  • 4
  • 2
1 Solution
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
From one machine, go ahead to the websites, then find the 'lock' in your browser, and look at the certificate issued.  Look to see who issued these certificates... there are two possibilities:

1. Your users are missing a root certificate update.  For example, for IE, and other windows software: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e4f9b573-66d7-4dda-95d5-26c7d0f6c652&displaylang=en

2. There is something more nefarious going on, and its the exact sort of nefarious activity these certificates are in place to warn you about, and messages like this are the warning...
0
 
anass_fCommented:
Check the computer date whether it is correct.

EL FARAH Anass.
0
 
BLEEPINGNETWORKAuthor Commented:
Thank you for the responses. The dates and times are correct. The download of the root certificates did not work either. Whats the next possability? could there be something in Group Policy or could there be  a security setting goofing it up?
0
Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
Did you view the certificate(s) that are giving the error?  It may give us a clue as to why you are getting the messages.
0
 
BLEEPINGNETWORKAuthor Commented:
Looking into this more I have been trying to figure out the "certutil" command on the DC. First of all I tried

"certutil -viewstore my"
The certificate store is empty.

"certutil -getreg"
-getreg command failed: 0x80070002 ,win32; 2
the system cannot find the file specified.

"certutil -getconfig"
The system cannot find the file specified.

C:\Documents and Settings\DCADMIN>certutil -DCinfo
0: DCNAME

*** Testing DC[0]: DCNAME
** Enterprise Root Certificates for DC DCNAME
No certs in Ent Root store!
** KDC Certificates for DC DCNAME
0 KDC certs for DCNAME
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.


----------------------------------------------------------------------------------------------------------

This is all new waters for me when it comes to this issue so I maybe totally looking in the wrong direction when trouble shooting this. but I thought the extra info maybe useful.

0
 
anass_fCommented:
Try erasing the contents of windows\system32\catroot2
Do a backup of this folder before deleting.
Make sure you are inside "catroot2" not "catroot".
Then reinstall the root certificates updates.

EL FARAH Anass.
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
If I understand correctly... when you go to https:\\www.google.com you are getting a certificate error... and asking if you want to continue to the web page... go ahead and let it take you to the page.

Click on the name of the page to the left of the address.  (See graphic... in the red oval.)  Tell it to give you more details.
Which will be the second graphic attached.  We want to look at the certificate, and see what step up the chain is failing.  That should even tell you which root certificate might not be working for you.
googlecert1.JPG
googlecert2.JPG
googlecert3.JPG
0
 
BLEEPINGNETWORKAuthor Commented:
Thanks again for the responses. I should have mentioned that it is Internet explorer. Either way I see what your getting at in the IE equivalent. On the Certificate details the only thing that stands out maybe the Issuer.

Due to security concerns I am not able quote the excact certificate. but I can say that the issuer is showing to be  our Proxy. (we run this part of the network on a VPN.)

example is
Issuer  (ssl-PhysicalLocationName.Region.Area.xxx))  

This certificate says it is valid on the certificate details. When I try to install it via Internet explorer it is saying the install was succesful however it clearly is not working.

In IE when I select the  "certificate error" box next to the URL box I do see a "Untrusted Certificate error". This is the same box the "View certificate" option is found, and "About certificate errors" is a option to select. In "About certificate errors" it says the following.

----------------------------------------------------------------------------------------------------------------------------------
This website's security certificate is not from a trusted source.

This error occurs when the certificate has been issued by a certification authority that is not recognized by Internet Explorer. It is unlikely that this error will occur on a legitimate business or banking site. Phishing sites often attempt to use fake certificates that will trigger this error.
---------------------------------------------------------------------------------------------------------------------

as Disturbing as that sounds I am not sure my issue is that drastic I think it is a misconfiguration on the Domain Controller. Do I need to add the "Issuer" in somewhare either locally or on the Domain side? How do I find out if this is Kosher or not?
0
 
BLEEPINGNETWORKAuthor Commented:
K so I have imported (or attempted to) the certificate onto the DC. using http://support.microsoft.com/kb/295663

I am still recieving the same issue.

0
 
BLEEPINGNETWORKAuthor Commented:
On the DC. in MMC Certificates (Local Computer)\Certificate Enrollment requests. the certificate in question under "Certificate Path/ Caertificate Status" states "The Issuer of this certificate could not be found."

Grrrr
0
 
BLEEPINGNETWORKAuthor Commented:
This might be the issue as well. When attempting to open certificate Authority on the DC I recieve a error  also.

"Cannot manage Certificate services. The specified service does not exist as an installed service. 0x424 (WIN32; 1060)"

Before I get ahead of my self... could this be the issue?
0
 
Rich WeisslerProfessional Troublemaker^h^h^h^h^hshooterCommented:
> I can say that the issuer is showing to be our Proxy.

Okay, this line puts me out of my depths.  I don't think you want to start installing certificates on your local CA -- but you are doing something outside my experience.  I suspect the problem you are experiencing will be an issue which could be encountered by anyone using a similar proxy system.  I understand the security concerns, so will only ask and let you decide whether you can answer -- "What is the proxy product you are using?"  It may help track down what needs to be configured on your system.  (But like I said, once we get into web proxy systems... it's been a decade since I've looked at one.)

But, because the issuer of the certificate for Google/Yahoo are showing to be your proxy server... I strongly suspect that's leading us towards the root of the problem.  (And it may be that you need to configure the machines behind the proxy to trust your proxy's certificate as a trusted root... I'd like to see the proxy vendor say that, and give recommendations on how best to roll that out without security implications.)
0
 
BLEEPINGNETWORKAuthor Commented:
Partially correct , the solution was there however it only steers me in the right direction to the solution of , Getting the certificate from the Issuer.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 7
  • 4
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now