Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


root certificates I think are the problem. how do I fix it?

Posted on 2010-09-10
Medium Priority
Last Modified: 2012-08-14
When navigating to a URL like google and yahoo, when my users need to log in they get the following.

"  There is a problem with this website's security certificate.
 The security certificate presented by this website was not issued by a trusted certificate authority.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  
  We recommend that you close this webpage and do not continue to this website.  
  Click here to close this webpage.  
  Continue to this website (not recommended).  
     More information

If you arrived at this page by clicking a link, check the website address in the address bar to be sure that it is the address you were expecting.
When going to a website with an address such as, try adding the 'www' to the address,
If you choose to ignore this error and continue, do not enter private information into the website.

For more information, see "Certificate Errors" in Internet Explorer Help."

I am assuming it is a root certificate issue on my side since it is from major sites like google and Yahoo. How can I correct this?

Server 2003, XP workstations.
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 2
LVL 30

Expert Comment

by:Rich Weissler
ID: 33646599
From one machine, go ahead to the websites, then find the 'lock' in your browser, and look at the certificate issued.  Look to see who issued these certificates... there are two possibilities:

1. Your users are missing a root certificate update.  For example, for IE, and other windows software:

2. There is something more nefarious going on, and its the exact sort of nefarious activity these certificates are in place to warn you about, and messages like this are the warning...

Expert Comment

ID: 33654558
Check the computer date whether it is correct.


Author Comment

ID: 33659977
Thank you for the responses. The dates and times are correct. The download of the root certificates did not work either. Whats the next possability? could there be something in Group Policy or could there be  a security setting goofing it up?
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 30

Expert Comment

by:Rich Weissler
ID: 33660370
Did you view the certificate(s) that are giving the error?  It may give us a clue as to why you are getting the messages.

Author Comment

ID: 33661234
Looking into this more I have been trying to figure out the "certutil" command on the DC. First of all I tried

"certutil -viewstore my"
The certificate store is empty.

"certutil -getreg"
-getreg command failed: 0x80070002 ,win32; 2
the system cannot find the file specified.

"certutil -getconfig"
The system cannot find the file specified.

C:\Documents and Settings\DCADMIN>certutil -DCinfo

*** Testing DC[0]: DCNAME
** Enterprise Root Certificates for DC DCNAME
No certs in Ent Root store!
** KDC Certificates for DC DCNAME
0 KDC certs for DCNAME
No KDC Certificate in MY store
KDC certificates: Cannot find object or property. 0x80092004 (-2146885628)

CertUtil: -DCInfo command FAILED: 0x80092004 (-2146885628)
CertUtil: Cannot find object or property.


This is all new waters for me when it comes to this issue so I maybe totally looking in the wrong direction when trouble shooting this. but I thought the extra info maybe useful.


Expert Comment

ID: 33661251
Try erasing the contents of windows\system32\catroot2
Do a backup of this folder before deleting.
Make sure you are inside "catroot2" not "catroot".
Then reinstall the root certificates updates.

LVL 30

Expert Comment

by:Rich Weissler
ID: 33661544
If I understand correctly... when you go to https:\\ you are getting a certificate error... and asking if you want to continue to the web page... go ahead and let it take you to the page.

Click on the name of the page to the left of the address.  (See graphic... in the red oval.)  Tell it to give you more details.
Which will be the second graphic attached.  We want to look at the certificate, and see what step up the chain is failing.  That should even tell you which root certificate might not be working for you.

Author Comment

ID: 33669625
Thanks again for the responses. I should have mentioned that it is Internet explorer. Either way I see what your getting at in the IE equivalent. On the Certificate details the only thing that stands out maybe the Issuer.

Due to security concerns I am not able quote the excact certificate. but I can say that the issuer is showing to be  our Proxy. (we run this part of the network on a VPN.)

example is
Issuer  (  

This certificate says it is valid on the certificate details. When I try to install it via Internet explorer it is saying the install was succesful however it clearly is not working.

In IE when I select the  "certificate error" box next to the URL box I do see a "Untrusted Certificate error". This is the same box the "View certificate" option is found, and "About certificate errors" is a option to select. In "About certificate errors" it says the following.

This website's security certificate is not from a trusted source.

This error occurs when the certificate has been issued by a certification authority that is not recognized by Internet Explorer. It is unlikely that this error will occur on a legitimate business or banking site. Phishing sites often attempt to use fake certificates that will trigger this error.

as Disturbing as that sounds I am not sure my issue is that drastic I think it is a misconfiguration on the Domain Controller. Do I need to add the "Issuer" in somewhare either locally or on the Domain side? How do I find out if this is Kosher or not?

Author Comment

ID: 33669875
K so I have imported (or attempted to) the certificate onto the DC. using

I am still recieving the same issue.


Author Comment

ID: 33669912
On the DC. in MMC Certificates (Local Computer)\Certificate Enrollment requests. the certificate in question under "Certificate Path/ Caertificate Status" states "The Issuer of this certificate could not be found."


Author Comment

ID: 33669934
This might be the issue as well. When attempting to open certificate Authority on the DC I recieve a error  also.

"Cannot manage Certificate services. The specified service does not exist as an installed service. 0x424 (WIN32; 1060)"

Before I get ahead of my self... could this be the issue?
LVL 30

Accepted Solution

Rich Weissler earned 1500 total points
ID: 33673087
> I can say that the issuer is showing to be our Proxy.

Okay, this line puts me out of my depths.  I don't think you want to start installing certificates on your local CA -- but you are doing something outside my experience.  I suspect the problem you are experiencing will be an issue which could be encountered by anyone using a similar proxy system.  I understand the security concerns, so will only ask and let you decide whether you can answer -- "What is the proxy product you are using?"  It may help track down what needs to be configured on your system.  (But like I said, once we get into web proxy systems... it's been a decade since I've looked at one.)

But, because the issuer of the certificate for Google/Yahoo are showing to be your proxy server... I strongly suspect that's leading us towards the root of the problem.  (And it may be that you need to configure the machines behind the proxy to trust your proxy's certificate as a trusted root... I'd like to see the proxy vendor say that, and give recommendations on how best to roll that out without security implications.)

Author Closing Comment

ID: 33883422
Partially correct , the solution was there however it only steers me in the right direction to the solution of , Getting the certificate from the Issuer.

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
#Citrix #Internet Explorer #Enterprise Mode #IE 11 #IE 8
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question