Solved

Certificate error on web server on IIS 7.5

Posted on 2012-04-02
13
1,336 Views
Last Modified: 2013-05-18
Hello experts.
I installed new certificate (from Verisign) on my two servers.
Now they works, but  https://ssl-tools.verisign.com/#certChecker  shows some errors.


Certificate Chain Information
Could not determine the primary certificate for the Web server.

Server Name: online2.ameriabank.am
was checked using port number 443
The certificate installation checker connected to the Web server and read its certificates, but could not determine which is the primary certificate for the Web server. Make sure that the domain name entered above matches the common name of the certificate installed on the Web server.

""
please assist what can I do?
0
Comment
Question by:ameriaadmin
  • 7
  • 6
13 Comments
 
LVL 6

Expert Comment

by:emadallan
ID: 37796211
you shoud add the verisign cert to your trusted root certificate on both servers
0
 

Author Comment

by:ameriaadmin
ID: 37796229
I have don it, the sites work properly, but   https://ssl-tools.verisign.com/#certChecker shows error.
my sites are
online.ameriabank.am
online2.ameriabank.am
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37796256
could you tell me the error message?
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:ameriaadmin
ID: 37796273
I have post it.
<<<
online.ameriabank.am was checked using port number 443
The certificate installation checker connected to the Web server and read its certificates, but could not determine which is the primary certificate for the Web server. Make sure that the domain name entered above matches the common name of the certificate installed on the Web server.
>>>

you can check it by   https://ssl-tools.verisign.com/#certChecker   for onlin.ameriabank.am and online2.ameriabank.am
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37796371
ok, the problem is due to intermediate certificate called: (VeriSign Class 3 Public Primary Certification Authority - G5) of virisign which is not trusted by verisign, so the solution is replace it in your browser.
please go to :
https://www.verisign.com/support/verisign-intermediate-ca/secure-site-pro-intermediate/index.html
then follow the instructions here:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&actp=CROSSLINK&id=SO18688
0
 

Author Comment

by:ameriaadmin
ID: 37800248
and what to do in server side?
0
 

Author Comment

by:ameriaadmin
ID: 37800286
I have replaced VeriSign Class 3 Public Primary Certification Authority - G5, by the new one, but I get same error.
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37800302
it's browser side, because your problem is that the intermediate cert in the chain is not trusted, contact the virisign and tell them to include the updated intermediate cert in your cert then import it to your two servers.
0
 
LVL 6

Expert Comment

by:emadallan
ID: 37800328
one thing to mention is: To get browsers to trust the root CA, and intermedite ca the user must install the certificate in the browser's authorities store. so try to install the updated intermedite CA in the IE througn internet options-- import
0
 

Author Comment

by:ameriaadmin
ID: 37800435
do you see the errors from https://ssl-tools.verisign.com/#certChecker for online.ameriabank.am and online2.ameriabank.am ?
0
 
LVL 6

Accepted Solution

by:
emadallan earned 500 total points
ID: 37800532
no, but i just did! i see that now we have two problems:
the first that we talked before
the second is online2.ameriabank.am is not included in you cert as a common name,  why? because Typically a standard secure server SSL Certificate is issued to a single Fully Qualified Domain Name only, which is online.ameriabank.am to which it has been issued. so online2.ameriabank.am is not included.
the solution is to obtain the Wildcard SSL which easily get around this restriction by receiving a Wildcard SSL Certificate issued to *.ameriabank.am. The * character replaces a "fixed" sub-domain with a "variable" one.
0
 

Author Comment

by:ameriaadmin
ID: 37800717
we already obtained SSL Certificate for online and onlin2 you can see it by opening onlin.ameriabank.am and online2.ameriabank.am
0
 

Author Closing Comment

by:ameriaadmin
ID: 39177163
no, but i just did! i see that now we have two problems:
the first that we talked before
the second is online2.ameriabank.am is not included in you cert as a common name,  why? because Typically a standard secure server SSL Certificate is issued to a single Fully Qualified Domain Name only, which is online.ameriabank.am to which it has been issued. so online2.ameriabank.am is not included.
the solution is to obtain the Wildcard SSL which easily get around this restriction by receiving a Wildcard SSL Certificate issued to *.ameriabank.am. The * character replaces a "fixed" sub-domain with a "variable" one.
0

Featured Post

Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

INTRODUCTION The purpose of this document is to demonstrate the Installation and configuration of the Data Protection Manager product. Note that this demonstration was prepared on the basis of Windows OS is 2008 R2 and DPM 2010. DATA PROTECTI…
Lync meeting or Lync conferencing is what many organizations would like to deploy to allow them save money. But companies are now giving up for various reasons, one of which is that they cannot join external meetings (non-federated company meetings)…
The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

832 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question