IE9 Windows 7 - "There is a problem with this website's security certificate"
So on a fresh image I'm working with, I've basically installed Windows 7 Enterprise with SP1 bare from the ISO.
So I've got IE9 up.
On a few different websites, I get the "There is a problem with this website's security certificate".
However, I don't get that message on any other computer I try to access the same websites from, whether another work computer, or my home computer.
Are there any particular Windows or IE9 updates I may need to install?
I deployed this image through SCCM 2012 but nothing special was done during the task sequence, so I'm really not sure.
The Date/Time on the system is fine
So I've got IE9 up.
On a few different websites, I get the "There is a problem with this website's security certificate".
However, I don't get that message on any other computer I try to access the same websites from, whether another work computer, or my home computer.
Are there any particular Windows or IE9 updates I may need to install?
I deployed this image through SCCM 2012 but nothing special was done during the task sequence, so I'm really not sure.
The Date/Time on the system is fine
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Gary
Check the date/time is correct
either the certificate is expired, doesn't match the name of the site, or was not issued by a trusted certificate authority (godaddy, thawte, verisign, etc.)
either the trusted certs are not present in the local store (trusted root certificate authority) or there is a newer version/installed update of the browser which is designed to display that message for security reasons
firefox and chrome have the same behavior to help against phishing sites
either the trusted certs are not present in the local store (trusted root certificate authority) or there is a newer version/installed update of the browser which is designed to display that message for security reasons
firefox and chrome have the same behavior to help against phishing sites
ASKER
I don't see any updates installed with "certficiate" in their name on the problematic computer.
However, I don't show any on my computer, right, but the website shows up fine.
The problematic computer appears to be in compliance with all the MS Bulletin updates available from SCCM updates.
However, I don't show any on my computer, right, but the website shows up fine.
The problematic computer appears to be in compliance with all the MS Bulletin updates available from SCCM updates.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
An easy suggestion would be this:
Click on the padlock and view the certificate for the site.
Click on the details tab and see the certificate chain.
You can open your certificate mmc and compare whether or not the CA and root in the certificate you are getting the popup for are in your local certificate store.
That is the only potential issues besides date and time (which you indicate are correct).
Click on the padlock and view the certificate for the site.
Click on the details tab and see the certificate chain.
You can open your certificate mmc and compare whether or not the CA and root in the certificate you are getting the popup for are in your local certificate store.
That is the only potential issues besides date and time (which you indicate are correct).
ASKER
Yeah there's only like 21 Trusted Root CAs on the problematic computer.
Would the certificate updates for Windows 7 / IE9 not be a "Security Bulletin" with a Bulletin ID? Would they be something else?
Because I'm using SCCM 2012 for software updates so the computer can only install those updates from the server which have been filtered, downloaded and packaged on the server according to certain criteria.
Would the certificate updates for Windows 7 / IE9 not be a "Security Bulletin" with a Bulletin ID? Would they be something else?
Because I'm using SCCM 2012 for software updates so the computer can only install those updates from the server which have been filtered, downloaded and packaged on the server according to certain criteria.
Certificate updates would be for the OS, but I am not sure what might be wrong in your instance.
You could simply export the Root and CA stores as SST and install on the problematic computer to resolve this.
You could simply export the Root and CA stores as SST and install on the problematic computer to resolve this.
ASKER
I'm going to try the update KB2718704
ASKER
Nope, that KB2718704 update wasn't it. Not sure what others to try. I'd hate do just install hundreds of updates because I won't fixed it if it works.
You can simply copy the trusted certs from a working computer
Step1 Root (on the working computer)
winkey + r - mmc.exe - add remove snapin - certificates - computer account - local computer - expand trusted root - click on certificates - select all the certificates in the right pane and right click and export you can select sst format here - enter a filename etc.
Step 2 CA (on the working computer)
winkey + r - mmc.exe - add remove snapin - certificates - computer account - local computer - expand Intermediate Certification Authorities - click on certificates - select all the certificates in the right pane and right click and export you can select sst format here
Once you have completed the above steps go to the non working computer (ensure you have access to the files you created above)
Step1 Root (on the problematic computer)
winkey + r - mmc.exe - add remove snapin - certificates - computer account - local computer - expand trusted root - right click on certificates - click import - point to the sst you created and complete the wizard.
Step 2 CA (on the problematic computer)
winkey + r - mmc.exe - add remove snapin - certificates - computer account - local computer - expand Intermediate Certification Authorities - right click on certificates - click import - point to the sst you created and complete the wizard.
This should resolve it for you, I do have one concern (Why are you against installing the windows updates across the board) ?
Step1 Root (on the working computer)
winkey + r - mmc.exe - add remove snapin - certificates - computer account - local computer - expand trusted root - click on certificates - select all the certificates in the right pane and right click and export you can select sst format here - enter a filename etc.
Step 2 CA (on the working computer)
winkey + r - mmc.exe - add remove snapin - certificates - computer account - local computer - expand Intermediate Certification Authorities - click on certificates - select all the certificates in the right pane and right click and export you can select sst format here
Once you have completed the above steps go to the non working computer (ensure you have access to the files you created above)
Step1 Root (on the problematic computer)
winkey + r - mmc.exe - add remove snapin - certificates - computer account - local computer - expand trusted root - right click on certificates - click import - point to the sst you created and complete the wizard.
Step 2 CA (on the problematic computer)
winkey + r - mmc.exe - add remove snapin - certificates - computer account - local computer - expand Intermediate Certification Authorities - right click on certificates - click import - point to the sst you created and complete the wizard.
This should resolve it for you, I do have one concern (Why are you against installing the windows updates across the board) ?
ASKER
I can't do local Windows Updates, because they care configured to be downloaded from SCCM (Configuration Manager) while the computer's on the domain.
I can't try any of those things right now because the system is doing a huge number of security updates.
I can't try any of those things right now because the system is doing a huge number of security updates.
It may be possible this will be resolved with one of the security updates, as certificate updates generally fall in the security domain.
ASKER
Why would Intermediate and Root certificates be missing though if updates aren't addressing it?
This isn't some messed up image I captured of Windows 7; it's the applied base install.wim file from the ISO with updates installed post-deployment.
Even if I export/import certificates from a working computer and that fixes it, is that an efficient step for the process of deploying hundreds of computers?
This isn't some messed up image I captured of Windows 7; it's the applied base install.wim file from the ISO with updates installed post-deployment.
Even if I export/import certificates from a working computer and that fixes it, is that an efficient step for the process of deploying hundreds of computers?
These are always a part of security updates from windows, since you are filtering on what you want to install and what you don't want to, I cannot tell you which you will miss.
E.g. If Verisign adds a new Intermediate CA or Root in 2014 and you have a 2013 Windows image with an SP released in 2013, you would not expect the updated certificate to be there would you ?
As such these type of OS changes are pushed out in updates, I cannot say which one (or ones) would be the right one for you in this instance.
Once your computer is up to date with required updates this issue should go away.
E.g. If Verisign adds a new Intermediate CA or Root in 2014 and you have a 2013 Windows image with an SP released in 2013, you would not expect the updated certificate to be there would you ?
As such these type of OS changes are pushed out in updates, I cannot say which one (or ones) would be the right one for you in this instance.
Once your computer is up to date with required updates this issue should go away.
ASKER
Thank you very much for that fix/help.
Now I just need to figure out why the system didn't have those installed in the first place, given it was fully updated through SCCM, as well as via local checking directly to MS (I did so manually), and on the domain for hours.
Now I just need to figure out why the system didn't have those installed in the first place, given it was fully updated through SCCM, as well as via local checking directly to MS (I did so manually), and on the domain for hours.