Solved

root certificates I think are the problem. how do I fix it?

Posted on 2010-09-10
13
1,214 Views
Last Modified: 2012-08-14
When navigating to a URL like google and yahoo, when my users need to log in they get the following.

-------------------------------------------------------------------------------------------------------------------------------------
"  There is a problem with this website's security certificate.
 
   
 The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
  We recommend that you close this webpage and do not continue to this website.  
  Click here to close this webpage.  
  Continue to this website (not recommended).  
     More information


If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as https://example.com, try adding the 'www' to the address, https://www.example.com.
If you choose to ignore this error and continue, do not enter private information into the website.

For more information, see "Certificate Errors" in Internet Explorer Help."
---------------------------------------------------------------------------------------------------------------------------------------

I am assuming it is a root certificate issue on my side since it is from major sites like google and Yahoo. How can I correct this?

Server 2003, XP workstations.
0
Comment
Question by:BLEEPINGNETWORK
  • 7
  • 4
  • 2
13 Comments
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33646599
From one machine, go ahead to the websites, then find the 'lock' in your browser, and look at the certificate issued.  Look to see who issued these certificates... there are two possibilities:

1. Your users are missing a root certificate update.  For example, for IE, and other windows software: http://www.microsoft.com/downloads/en/details.aspx?FamilyID=e4f9b573-66d7-4dda-95d5-26c7d0f6c652&displaylang=en

2. There is something more nefarious going on, and its the exact sort of nefarious activity these certificates are in place to warn you about, and messages like this are the warning...
0
 
LVL 1

Expert Comment

by:anass_f
ID: 33654558
Check the computer date whether it is correct.

EL FARAH Anass.
0
 
LVL 1

Author Comment

by:BLEEPINGNETWORK
ID: 33659977
Thank you for the responses. The dates and times are correct. The download of the root certificates did not work either. Whats the next possability? could there be something in Group Policy or could there be  a security setting goofing it up?
0
 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33660370
Did you view the certificate(s) that are giving the error?  It may give us a clue as to why you are getting the messages.
0
 
LVL 1

Author Comment

by:BLEEPINGNETWORK
ID: 33661234
Looking into this more I have been trying to figure out the "certutil" command on the DC. First of all I tried

"certutil -viewstore my"
The certificate store is empty.

"certutil -getreg"
-getreg command failed: 0x80070002 ,win32; 2
the system cannot find the file specified.

"certutil -getconfig"
The system cannot find the file specified.

C:\Documents and Settings\DCADMIN>certutil -DCinfo
0: DCNAME

*** Testing DC[0]: DCNAME
** Enterprise Root Certificates for DC DCNAME
No certs in Ent Root store!
** KDC Certificates for DC DCNAME
0 KDC certs for DCNAME
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.


----------------------------------------------------------------------------------------------------------

This is all new waters for me when it comes to this issue so I maybe totally looking in the wrong direction when trouble shooting this. but I thought the extra info maybe useful.

0
 
LVL 1

Expert Comment

by:anass_f
ID: 33661251
Try erasing the contents of windows\system32\catroot2
Do a backup of this folder before deleting.
Make sure you are inside "catroot2" not "catroot".
Then reinstall the root certificates updates.

EL FARAH Anass.
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 29

Expert Comment

by:Rich Weissler
ID: 33661544
If I understand correctly... when you go to https:\\www.google.com you are getting a certificate error... and asking if you want to continue to the web page... go ahead and let it take you to the page.

Click on the name of the page to the left of the address.  (See graphic... in the red oval.)  Tell it to give you more details.
Which will be the second graphic attached.  We want to look at the certificate, and see what step up the chain is failing.  That should even tell you which root certificate might not be working for you.
googlecert1.JPG
googlecert2.JPG
googlecert3.JPG
0
 
LVL 1

Author Comment

by:BLEEPINGNETWORK
ID: 33669625
Thanks again for the responses. I should have mentioned that it is Internet explorer. Either way I see what your getting at in the IE equivalent. On the Certificate details the only thing that stands out maybe the Issuer.

Due to security concerns I am not able quote the excact certificate. but I can say that the issuer is showing to be  our Proxy. (we run this part of the network on a VPN.)

example is
Issuer  (ssl-PhysicalLocationName.Region.Area.xxx))  

This certificate says it is valid on the certificate details. When I try to install it via Internet explorer it is saying the install was succesful however it clearly is not working.

In IE when I select the  "certificate error" box next to the URL box I do see a "Untrusted Certificate error". This is the same box the "View certificate" option is found, and "About certificate errors" is a option to select. In "About certificate errors" it says the following.

----------------------------------------------------------------------------------------------------------------------------------
This website's security certificate is not from a trusted source.

This error occurs when the certificate has been issued by a certification authority that is not recognized by Internet Explorer. It is unlikely that this error will occur on a legitimate business or banking site. Phishing sites often attempt to use fake certificates that will trigger this error.
---------------------------------------------------------------------------------------------------------------------

as Disturbing as that sounds I am not sure my issue is that drastic I think it is a misconfiguration on the Domain Controller. Do I need to add the "Issuer" in somewhare either locally or on the Domain side? How do I find out if this is Kosher or not?
0
 
LVL 1

Author Comment

by:BLEEPINGNETWORK
ID: 33669875
K so I have imported (or attempted to) the certificate onto the DC. using http://support.microsoft.com/kb/295663

I am still recieving the same issue.

0
 
LVL 1

Author Comment

by:BLEEPINGNETWORK
ID: 33669912
On the DC. in MMC Certificates (Local Computer)\Certificate Enrollment requests. the certificate in question under "Certificate Path/ Caertificate Status" states "The Issuer of this certificate could not be found."

Grrrr
0
 
LVL 1

Author Comment

by:BLEEPINGNETWORK
ID: 33669934
This might be the issue as well. When attempting to open certificate Authority on the DC I recieve a error  also.

"Cannot manage Certificate services. The specified service does not exist as an installed service. 0x424 (WIN32; 1060)"

Before I get ahead of my self... could this be the issue?
0
 
LVL 29

Accepted Solution

by:
Rich Weissler earned 500 total points
ID: 33673087
> I can say that the issuer is showing to be our Proxy.

Okay, this line puts me out of my depths.  I don't think you want to start installing certificates on your local CA -- but you are doing something outside my experience.  I suspect the problem you are experiencing will be an issue which could be encountered by anyone using a similar proxy system.  I understand the security concerns, so will only ask and let you decide whether you can answer -- "What is the proxy product you are using?"  It may help track down what needs to be configured on your system.  (But like I said, once we get into web proxy systems... it's been a decade since I've looked at one.)

But, because the issuer of the certificate for Google/Yahoo are showing to be your proxy server... I strongly suspect that's leading us towards the root of the problem.  (And it may be that you need to configure the machines behind the proxy to trust your proxy's certificate as a trusted root... I'd like to see the proxy vendor say that, and give recommendations on how best to roll that out without security implications.)
0
 
LVL 1

Author Closing Comment

by:BLEEPINGNETWORK
ID: 33883422
Partially correct , the solution was there however it only steers me in the right direction to the solution of , Getting the certificate from the Issuer.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
heat agent push through GPO 2 34
Reading registry key from HKCU and not hklm 10 58
Microsoft edge browser 7 45
Video won't play 5 12
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now