Solved

IE9 Windows 7  - "There is a problem with this website's security certificate"

Posted on 2014-09-23
16
1,017 Views
Last Modified: 2014-09-23
So on a fresh image I'm working with, I've basically installed Windows 7 Enterprise with SP1 bare from the ISO.
So I've got IE9 up.

On a few different websites, I get the "There is a problem with this website's security certificate".

However, I don't get that message on any other computer I try to access the same websites from, whether another work computer, or my home computer.

Are there any particular Windows or IE9 updates I may need to install?

I deployed this image through SCCM 2012 but nothing special was done during the task sequence, so I'm really not sure.

The Date/Time on the system is fine
0
Comment
Question by:garryshape
16 Comments
 
LVL 28

Accepted Solution

by:
becraig earned 500 total points
ID: 40339675
You can probably check for specific updates or just run windows updates.

x86      Update for Root Certificates for Windows XP [November 2013] (KB931125)
x64      Update for Root Certificates for Windows XP x64 Edition [November 2013] (KB931125)
x86      Update for Root Certificates for Windows Vista [November 2013] (KB931125)
x64      Update for Root Certificates for Windows Vista for x64-based Systems [November 2013] (KB931125)
x86      Update for Root Certificates for Windows 7 [November 2013] (KB931125)
x64      Update for Root Certificates for Windows 7 for x64-based Systems [November 2013] (KB931125)
x86      Update for Root Certificates for Windows 8 [November 2013] (KB931125)
x64      Update for Root Certificates for Windows 8 for x64-based Systems [November 2013] (KB931125)
x86      Update for Root Certificates for Windows 8.1 [November 2013] (KB931125)
x64      Update for Root Certificates for Windows 8.1 for x64-based Systems [November 2013] (KB931125)
0
 
LVL 58

Expert Comment

by:Gary
ID: 40339679
Check the date/time is correct
0
 
LVL 34

Expert Comment

by:Seth Simmons
ID: 40339691
either the certificate is expired, doesn't match the name of the site, or was not issued by a trusted certificate authority (godaddy, thawte, verisign, etc.)
either the trusted certs are not present in the local store (trusted root certificate authority) or there is a newer version/installed update of the browser which is designed to display that message for security reasons
firefox and chrome have the same behavior to help against phishing sites
0
 

Author Comment

by:garryshape
ID: 40339716
I don't see any updates installed with "certficiate" in their name on the problematic computer.
However, I don't show any on my computer, right, but the website shows up fine.

The problematic computer appears to be in compliance with all the MS Bulletin updates available from SCCM updates.
0
 
LVL 28

Assisted Solution

by:becraig
becraig earned 500 total points
ID: 40339718
My suggestion was based on the fact the OP indicated that the date and time were correct and no updates were applied as yet.

He also indicated the site certificate works at other computers, so my assumption here would be a windows update that would either update root or CA certs has not yet been applied, since windows would bundle these updates from various vendors and release them for install as update KBs.

I would think once updates are applied this should resolve his issue.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40339723
An easy suggestion would be this:

Click on the padlock and view the certificate for the site.
Click on the details tab and see the certificate chain.
You can open your certificate mmc and compare whether or not the CA and root in the certificate you are getting the popup for are in your local certificate store.

That is the only potential issues besides date and time (which you indicate are correct).
0
 

Author Comment

by:garryshape
ID: 40339779
Yeah there's only like 21 Trusted Root CAs on the problematic computer.

Would the certificate updates for Windows 7 / IE9 not be a "Security Bulletin" with a Bulletin ID? Would they be something else?
Because I'm using SCCM 2012 for software updates so the computer can only install those updates from the server which have been filtered, downloaded and packaged on the server according to certain criteria.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40339789
Certificate updates would be for the OS, but I am not sure what might be wrong in your instance.

You could simply export the Root and CA stores as SST and install on the problematic computer to resolve this.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:garryshape
ID: 40339813
I'm going to try the update KB2718704
0
 

Author Comment

by:garryshape
ID: 40339883
Nope, that KB2718704 update wasn't it. Not sure what others to try. I'd hate do just install hundreds of updates because I won't fixed it if it works.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40339970
You can simply copy the trusted certs from a working computer

Step1 Root (on the working computer)
winkey + r - mmc.exe - add remove snapin - certificates - computer account - local computer - expand trusted root - click on certificates - select all the certificates in the right pane and right click and export you can select sst format here - enter a filename etc.

Step 2 CA (on the working computer)
winkey + r - mmc.exe - add remove snapin - certificates - computer account - local computer - expand Intermediate Certification Authorities - click on certificates - select all the certificates in the right pane and right click and export you can select sst format here


Once you have completed the above steps go to the non working computer (ensure you have access to the files you created above)

Step1 Root (on the problematic computer)
winkey + r - mmc.exe - add remove snapin - certificates - computer account - local computer - expand trusted root - right click on certificates - click import - point to the sst you created and complete the wizard.

Step 2 CA (on the problematic computer)
winkey + r - mmc.exe - add remove snapin - certificates - computer account - local computer - expand Intermediate Certification Authorities - right click on certificates - click import - point to the sst you created and complete the wizard.


This should resolve it for you, I do have one concern (Why are you against installing the windows updates across the board) ?
0
 

Author Comment

by:garryshape
ID: 40340223
I can't do local Windows Updates, because they care configured to be downloaded from SCCM (Configuration Manager) while the computer's on the domain.

I can't try any of those things right now because the system is doing a huge number of security updates.
0
 
LVL 28

Expert Comment

by:becraig
ID: 40340228
It may be possible this will be resolved with one of the security updates, as certificate updates generally fall in the security domain.
0
 

Author Comment

by:garryshape
ID: 40340236
Why would Intermediate and Root certificates be missing though if updates aren't addressing it?
This isn't some messed up image I captured of Windows 7; it's the applied base install.wim file from the ISO with updates installed post-deployment.

Even if I export/import certificates from a working computer and that fixes it, is that an efficient step for the process of deploying hundreds of computers?
0
 
LVL 28

Expert Comment

by:becraig
ID: 40340249
These are always a  part of security updates from windows, since you are filtering on what you want to install and what you don't want to, I cannot tell you which you will miss.

E.g. If Verisign adds a new Intermediate CA or Root in 2014 and you have a 2013 Windows image with an SP released in 2013, you would not expect the updated certificate to be there would you ?

As such these type of OS changes are pushed out in updates, I cannot say which one (or ones) would be the right one for you in this instance.

Once your computer is up to date with required updates this issue should go away.
0
 

Author Closing Comment

by:garryshape
ID: 40340510
Thank you very much for that fix/help.
Now I just need to figure out why the system didn't have those installed in the first place, given it was fully updated through SCCM, as well as via local checking directly to MS (I did so manually), and on the domain for hours.
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

I annotated my article on ransomware somewhat extensively, but I keep adding new references and wanted to put a link to the reference library.  Despite all the reference tools I have on hand, it was not easy to find a way to do this easily. I finall…
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The viewer will learn how to successfully create a multiboot device using the SARDU utility on Windows 7. Start the SARDU utility: Change the image directory to wherever you store your ISOs, this will prevent you from having 2 copies of an ISO wit…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now