root certificates I think are the problem. how do I fix it?

Posted on 2010-09-10
Last Modified: 2012-08-14
When navigating to a URL like google and yahoo, when my users need to log in they get the following.

"  There is a problem with this website's security certificate.
 The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
  We recommend that you close this webpage and do not continue to this website.  
  Click here to close this webpage.  
  Continue to this website (not recommended).  
     More information

If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as, try adding the 'www' to the address,
If you choose to ignore this error and continue, do not enter private information into the website.

For more information, see "Certificate Errors" in Internet Explorer Help."

I am assuming it is a root certificate issue on my side since it is from major sites like google and Yahoo. How can I correct this?

Server 2003, XP workstations.
  • 7
  • 4
  • 2
LVL 29

Expert Comment

by:Rich Weissler
ID: 33646599
From one machine, go ahead to the websites, then find the 'lock' in your browser, and look at the certificate issued.  Look to see who issued these certificates... there are two possibilities:

1. Your users are missing a root certificate update.  For example, for IE, and other windows software:

2. There is something more nefarious going on, and its the exact sort of nefarious activity these certificates are in place to warn you about, and messages like this are the warning...

Expert Comment

ID: 33654558
Check the computer date whether it is correct.


Author Comment

ID: 33659977
Thank you for the responses. The dates and times are correct. The download of the root certificates did not work either. Whats the next possability? could there be something in Group Policy or could there be  a security setting goofing it up?
LVL 29

Expert Comment

by:Rich Weissler
ID: 33660370
Did you view the certificate(s) that are giving the error?  It may give us a clue as to why you are getting the messages.

Author Comment

ID: 33661234
Looking into this more I have been trying to figure out the "certutil" command on the DC. First of all I tried

"certutil -viewstore my"
The certificate store is empty.

"certutil -getreg"
-getreg command failed: 0x80070002 ,win32; 2
the system cannot find the file specified.

"certutil -getconfig"
The system cannot find the file specified.

C:\Documents and Settings\DCADMIN>certutil -DCinfo

*** Testing DC[0]: DCNAME
** Enterprise Root Certificates for DC DCNAME
No certs in Ent Root store!
** KDC Certificates for DC DCNAME
0 KDC certs for DCNAME
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.


This is all new waters for me when it comes to this issue so I maybe totally looking in the wrong direction when trouble shooting this. but I thought the extra info maybe useful.


Expert Comment

ID: 33661251
Try erasing the contents of windows\system32\catroot2
Do a backup of this folder before deleting.
Make sure you are inside "catroot2" not "catroot".
Then reinstall the root certificates updates.

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

LVL 29

Expert Comment

by:Rich Weissler
ID: 33661544
If I understand correctly... when you go to https:\\ you are getting a certificate error... and asking if you want to continue to the web page... go ahead and let it take you to the page.

Click on the name of the page to the left of the address.  (See graphic... in the red oval.)  Tell it to give you more details.
Which will be the second graphic attached.  We want to look at the certificate, and see what step up the chain is failing.  That should even tell you which root certificate might not be working for you.

Author Comment

ID: 33669625
Thanks again for the responses. I should have mentioned that it is Internet explorer. Either way I see what your getting at in the IE equivalent. On the Certificate details the only thing that stands out maybe the Issuer.

Due to security concerns I am not able quote the excact certificate. but I can say that the issuer is showing to be  our Proxy. (we run this part of the network on a VPN.)

example is
Issuer  (  

This certificate says it is valid on the certificate details. When I try to install it via Internet explorer it is saying the install was succesful however it clearly is not working.

In IE when I select the  "certificate error" box next to the URL box I do see a "Untrusted Certificate error". This is the same box the "View certificate" option is found, and "About certificate errors" is a option to select. In "About certificate errors" it says the following.

This website's security certificate is not from a trusted source.

This error occurs when the certificate has been issued by a certification authority that is not recognized by Internet Explorer. It is unlikely that this error will occur on a legitimate business or banking site. Phishing sites often attempt to use fake certificates that will trigger this error.

as Disturbing as that sounds I am not sure my issue is that drastic I think it is a misconfiguration on the Domain Controller. Do I need to add the "Issuer" in somewhare either locally or on the Domain side? How do I find out if this is Kosher or not?

Author Comment

ID: 33669875
K so I have imported (or attempted to) the certificate onto the DC. using

I am still recieving the same issue.


Author Comment

ID: 33669912
On the DC. in MMC Certificates (Local Computer)\Certificate Enrollment requests. the certificate in question under "Certificate Path/ Caertificate Status" states "The Issuer of this certificate could not be found."


Author Comment

ID: 33669934
This might be the issue as well. When attempting to open certificate Authority on the DC I recieve a error  also.

"Cannot manage Certificate services. The specified service does not exist as an installed service. 0x424 (WIN32; 1060)"

Before I get ahead of my self... could this be the issue?
LVL 29

Accepted Solution

Rich Weissler earned 500 total points
ID: 33673087
> I can say that the issuer is showing to be our Proxy.

Okay, this line puts me out of my depths.  I don't think you want to start installing certificates on your local CA -- but you are doing something outside my experience.  I suspect the problem you are experiencing will be an issue which could be encountered by anyone using a similar proxy system.  I understand the security concerns, so will only ask and let you decide whether you can answer -- "What is the proxy product you are using?"  It may help track down what needs to be configured on your system.  (But like I said, once we get into web proxy systems... it's been a decade since I've looked at one.)

But, because the issuer of the certificate for Google/Yahoo are showing to be your proxy server... I strongly suspect that's leading us towards the root of the problem.  (And it may be that you need to configure the machines behind the proxy to trust your proxy's certificate as a trusted root... I'd like to see the proxy vendor say that, and give recommendations on how best to roll that out without security implications.)

Author Closing Comment

ID: 33883422
Partially correct , the solution was there however it only steers me in the right direction to the solution of , Getting the certificate from the Issuer.

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This Micro Tutorial will demonstrate how to add subdomains to your content reports. This can be very importing in having a site with multiple subdomains.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now