Certificate Authority certificate issued with incorrect hash algorithm

Hi all,
We have a certificate authority which was migrated from Server 2003 to 2008R2, the issue is that after running this command:
certutil -setreg ca\csp\CNGHashAlgorithm sha256
to upgrade the CA to SHA256, we renewed the CA certificate but the certificate still renewed using SHA1. The cryptographic settings in the CA properties dialog box says SHA256 however the certificate is issued using SHA1. Here is the image:
Any pointers to how we can reissue CA certificate with SHA256 algorithm?
Thanks,
Ojas

[Puneet Singh] What i feel is that your initial key which was generated was CAPI based that might be the reason you might be facing the problem.
Try to do the things in below sequence.
certification authority’s system, you will need to run the following commands from an elevated command line window:
 certutil -setreg ca\csp\CNGHashAlgorithm SHA256
net stop certsvc
net start certsvc
Make sure you are  using a Key Storage Provider that supports SHA256 – for example the Microsoft Key Storage Provider -
and then renew the certification authority’s certificate.
 if you have the CAPI provider or you are CAPI based key  then you have to convert it to CNG key and use certutil
repair so that  it does start using the CNG key.
Puneet Singh

Similar Messages

  • How to filter certificate templates in Certificate Authority snap-in with the correct values

    How to filter certificate templates in Certificate Authority snap-in with the correct values
    I have a 2012 R2 server running Microsoft Certificate Authority snap-in.
    I want to do a filter on a specific Certificate Template which i know exists in the 'Issued Certificates' folder.
    All the documentation i can find seems to suggest i copy the certificate name and use this in the View Filter.
    1). I add the 'Certificate Template' option into the Field drop-down.
    2). I leave the Operation as the '=' symbol
    3). I paste in just the name of the template in question. for example: 'my computers'
    The search results always come back blank 'There are no items to show in this view.' even when i know there are many instances of this template. I've tried on a win 2008 server and same issue.
    Is there a correct value to enter for the Certificate Template name?
    Can this be done easier using certutil commands?
    When i run the certutil tool i can confirm i have several issued templates. Certutil -catemplates -v > c:\mytemplate_log.csv
    Anybody know what i'm doing wrong?
    I seem to be getting nowhere with this one.

    > But its important you are using the template name, not the display name
    this is incorrect. OIDs are mapped to *display name*, not common name (it is true for all templates except Machine template). That is, in order to translate template name to a corresponding OID, you need to use certificate template's display name. And, IIRC,
    template name in the filter can be used only for V1 templates. For V2 and higher, OID must be used.
    My weblog: en-us.sysadmins.lv
    PowerShell PKI Module: pspki.codeplex.com
    PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
    Check out new: SSL Certificate Verifier
    Check out new:
    PowerShell FCIV tool.

  • Devicelistx.asp The certificate authority is invalid or incorrect

    Hello
    After some modifications of the file "getdeviceip.asp", I at the following point:
    (1) If I leave the line "xmlhttp.open("GET ", protocol +"://" + callManager + "/CCMAdmin/reports/devicelistx.asp", false);"
    I receive the error
    msxml4.dll error ' 80070005 '
    Acc?s refus?. (Access denied)
    (2) If I replace:
    + callmanager +
    by:
    + "callmanager" +
    With callmanager + IP in my host file
    I receive the error
    msxml4.dll error '80072f0d'
    The certificate authority is invalid or incorrect
    An idea?
    Thank you

    Well, I have the same problem...
    I ask in other forums and emails, and some guy tell me this:
    As you probably already know, your error is coming from URLMON (not XMLHTTP), it is INET_E_SECURITY_PROBLEM.
    Trying to pass a username and password using the "Basic" authentication scheme (thats what you are doing right?) through URLMON by HTTP header will not work. MSXML will not set the user information this way. You should pass the username and password to the XMLHTTP.open method, rather than in a request header. See
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/xmlsdk/html/52aaf5ff-e302-4490-821a-cb3a085fe5ee.asp
    However, also because "Basic" authentication is not generally encrypted, you should be using only SSL here.
    I change the code to:
    xmlhttp.Open "GET", "https://10.0.0.10/CCMAdmin/Reports/devicelistx.asp", False , userID, password
    But doesn't work... this is very frustrating...
    Without the IPs from the phones, we're very limitated...
    Jorge

  • ISE Certificate Authority Certificate

    I'm confussed about the certificates:
    Some weeks ago a certificate was installed in the ISE to avoid the browser certificate error when the customer access the sponsor portal ...
    Now, the customer is requesting to authenticate the sponsor users through LDAPS ... I understand Active Directory or LDAP as External Identity Sources are not secure. So, in order to enable LDAPS we must check the Secure Atuthentication box in the LDAP configuration, but a ROOT CA must be chooseen also.
    I understand the ISE should validate the customer PKI in order to validate the user certificate ... Am I right?
    Do I need request the customer to provide me the "Certificate Authority Certificate" from its PKI ??
    Is it a file completely different to the certificate already loaded in the ISE ??
    With this certificate, would the ISE validate the user's computer certificate additional to user and password ??
    Would the user must use a computer with certificate in order to access the sponsor portal ??
    Thanks in advance.
    Regards
    Daniel Escalante.

    Please follow the "secure authentication tab" in the below table( highlighted)
    go to >LDAP Connection Settings
    Table lists the fields in the LDAP connection tab and their descriptions.
    Table :     LDAP Connection Tab 
    Option Description
    Enable Secondary Server
    Check this option to enable the secondary LDAP server to be used as a  backup in the event that the primary LDAP server fails. If you check  this check box, you must enter configuration parameters for the  secondary LDAP server.
    Primary and Secondary Servers
    Hostname/IP
    (Required) Enter the IP address or DNS name of the machine that is  running the LDAP software. The hostname can contain from 1 to 256  characters or a valid IP address expressed as a string. The only valid  characters for hostnames are alphanumeric characters (a to z, A to Z, 0  to 9), the dot (.), and the hyphen (-).
    Port
    (Required) Enter the TCP/IP port number on which the LDAP server is  listening. Valid values are from 1 to 65,535. The default is 389, as  stated in the LDAP specification. If you do not know the port number,  you can find this information from the LDAP server administrator.
    Access
    (Required) Anonymous Access—Click to ensure that searches on the LDAP  directory occur anonymously. The server does not distinguish who the  client is and will allow the client read access to any data that is  configured as accessible to any unauthenticated client. In the absence  of a specific policy permitting authentication information to be sent to  a server, a client should use an anonymous connection.
    Authenticated Access—Click to ensure that searches on the LDAP directory  occur with administrative credentials. If so, enter information for the  Admin DN and Password fields.
    Admin DN
    Enter the DN of the administrator. The Admin DN is the LDAP account that  permits searching of all required users under the User Directory  Subtree and permits searching groups. If the administrator specified  does not have permission to see the group name attribute in searches,  group mapping fails for users who are authenticated by that LDAP.
    Password
    Enter the LDAP administrator account password.
    Secure Authentication
    Click to use SSL to encrypt communication between Cisco ISE and the  primary LDAP server. Verify that the Port field contains the port number  used for SSL on the LDAP server. If you enable this option, you must  choose a root CA.
    Root CA
    Choose a trusted root certificate authority from the drop-down list box  to enable secure authentication with a certificate.
    See the "Certificate Authority  Certificates" section on page 12-17 and "Adding a Certificate  Authority Certificate" section on page 12-19 for information  on CA certificates.
    Server Timeout
    Enter the number of seconds that Cisco ISE waits for a response from the  primary LDAP server before determining that the connection or  authentication with that server has failed. Valid values are 1 to 300.  The default is 10.
    Max. Admin Connections
    Enter the maximum number of concurrent connections (greater than 0) with  LDAP administrator account permissions that can run for a specific LDAP  configuration. These connections are used to search the directory for  users and groups under the User Directory Subtree and the Group  Directory Subtree. Valid values are 1 to 99. The default is 20.
    Test Bind to Server
    Click to test and ensure that the LDAP server details and credentials  can successfully bind. If the test fails, edit your LDAP server details  and retest.

  • Certificate Host Naming Issue with WRVS4400N

    When accessing the WRVS4400N v1.00.16 for Remote Administration or QuickVPN, I get an error indicating that the certificate host name does not match the host name of the WRVS4400N. Is this a an issue with the certificate generated by the WRVS4400N or is there a method of changing the host name of the WRVS4400N to match that of the certificate? I noticed that the name on the certificate is WRVS4400N and the router name is linksys.

    I have not been able to generate a certificate to place in the QuickVPN directory. I must be missing something. I looked in the VPN Tab, VPN advanced settings button and VPN Client Accounts tab. I can not find a button to generate a certificate to place in the QuickVPN directory. The only way I get a certificate is by https of the router from the LAN or WAN and exporting it from Internet Explorer. In the mean time, I placed the certificate in my certificate stores under the trusted authority store. Is there a button missing to generate a certificate or do I simply not get it? Both are possible.
    PS> Thank you for your reply.

  • Certificate Authority chain issue

    Hello,
    I have a problem with using root and sub Certificates in our PKI environment. Specifically, I have a problem with the way the Java implementation of certificates is working in our environment.
    We use Entrust as our external Certificatation Authority. We are a predominantly Microsoft environment and have implemented PKI for user accounts and Smartcard logons across our domain. Our certificates are generated under Entrusts certificatation authority and we have added their DCOMROOTCA and DCOMSUBCA (Root and Subordinate) certificates to our trusted root certification Authorities store for all MS clients. Entrust have recently reissued their DCOMROOTCA and DCOMSUBCA certificates and we have included those new certificates in our trusted root certification Authorities store. The old Entrust certificates are still valid and dont expire for another 2 years. Our PKI environment and authentication continues to work as normal in an MS environment.
    In a Windows environment which is using Microsoft’s implementation of certificates, a smart card which was issued under Entrust’s old root certificate will successfully authenticate with a certificate issued under Entrusts’s new root certificate.
    I am having a problem with VMWare View. VMWare View is a Web interface broker server which uses Java’s implementation of certificate security, ie uses keytool.exe and cacerts as its trusted certificate store. I have secured the web interface with a certificate issued under Entrust’s new root certificate. I am trying to authenticate with a smart card which has been issued with a certificate under Entrust’s old root certificate. This has not been successful. I have imported the old DCOMROOT and DCOMSUB certificates and the new DCOMROOT and DCOMSUB certificates into the cacerts file. The client (a Wyse Terminal) also has the old and new DCOMROOT and DCOMSUB certificates in its trusted store. When I attempt to logon I get the following event in the logs on the Web interface broker server:
    16:54:18,789 DEBUG <pool-1-thread-17> PooledProcessor SSL handshake exception from /10.42.2.138:2867, error was: sun.security.validator.ValidatorException: Certificate signature validation failed
    If I reissue the Smartcard with a new certificate which has been generated under Entrust's new root and sub certificates I am able to successfully authenticate.
    The conclusion I can draw from this is that Java certification (at least in the way I have set it up) breaks if a new issuing certificate is being used to generate a certificate to secure the Web interface and an old issuing certificate is being used on a smart card / client.
    Does this sound correct? Is this a known issue or have I not imported or setup up the certificate chains correctly?
    Any advice would be most welcome.
    Many thanks,
    Ben

    Hi,
    thanks for your reply.
    Here is some more from the log. The log has some VMWare specific entries.
    10:44:41,337 DEBUG <pool-1-thread-7> [PooledProcessor] SSL handshake exception from /10.42.2.134:1104, error was: sun.security.validator.ValidatorException: Certificate signature validation failed
    10:44:41,462 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int) Determine actions for cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int: totalVMs=11, availableVMs=11, zombieVMs=0, busyVMs=0, poweredOffVMs=0, suspendedVMs=0, vmMaximumCount=20, vmMinimumCount=10, vmHeadroomCount=5, customizingVMs=0
    10:44:41,462 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int) cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int::Control path is vmHeadroomCount-stop as availableVMs(11) > vmHeadroomCount(5)
    10:44:41,478 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_off,ou=server groups,dc=vdi,dc=vmware,dc=int) Not stopping VMs as policy is ALWAYSON, REMAINON or DELETEONUSE
    10:44:41,478 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) onMachineEvent: null in pool: cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int
    10:44:41,963 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) Determine actions for cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int: totalVMs=10, availableVMs=9, zombieVMs=0, busyVMs=1, poweredOffVMs=0, suspendedVMs=0, vmMaximumCount=20, vmMinimumCount=10, vmHeadroomCount=5, customizingVMs=0
    10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int::Control path is vmHeadroomCount-stop as availableVMs(9) > vmHeadroomCount(5)
    10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_sco,ou=server groups,dc=vdi,dc=vmware,dc=int) Not stopping VMs as policy is ALWAYSON, REMAINON or DELETEONUSE
    10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int) onMachineEvent: null in pool: cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int
    10:44:41,994 DEBUG <VirtualCenterDriver-81804728-d329-4022-8d84-74dfa92516d0> [VirtualCenterDriver] (RePropagate cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int) Determine actions for cn=gb_dev,ou=server groups,dc=vdi,dc=vmware,dc=int: totalVMs=6, availableVMs=6, zombieVMs=0, busyVMs=0, poweredOffVMs=0, suspendedVMs=0, vmMaximumCount=0, vmMinimumCount=0, vmHeadroomCount=0, customizingVMs=0
    10:44:42,713 DEBUG <HandshakeCompletedNotify-Thread> [PooledProcessor] Peer unverified
    10:44:42,713 DEBUG <Thread-19> [SimpleAJPService] (Request128) SimpleAJPService request: /broker/xml
    10:44:42,728 DEBUG <TP-Processor3> [XmlAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter
    10:44:42,744 DEBUG <TP-Processor3> [XmlRequestProcessor] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) read XML input
    10:44:42,744 DEBUG <TP-Processor3> [XmlRequestProcessor] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) added: configuration
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for disclaimer
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for SecurID
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for gssapi
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting to authenticate against gssapi
    10:44:42,759 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for cert-auth
    10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
    10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting to authenticate against cert-auth
    10:44:42,775 DEBUG <TP-Processor3> [CertificateAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Client did not use Certificate Authentication, skipping or failing
    10:44:42,775 DEBUG <TP-Processor3> [CertificateAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Failing Certificate authentication, bypassing for OPTIONAL mode
    10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) In doFilter for windows-password
    10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Checking if authentication chain has been stopped
    10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting to authenticate against windows-password
    10:44:42,775 DEBUG <TP-Processor3> [WinAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Attempting authentication against AD
    10:44:42,775 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Not authenticated, requesting login page for windows-password
    10:44:42,791 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) AuthorizationFilter: XML Authorization Filter in doFilter()
    10:44:42,791 DEBUG <TP-Processor3> [ProperoAuthFilter] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) paeCtx == null, forwarding to login page: /broker/xml
    10:44:42,791 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Start processing: configuration
    10:44:42,791 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Processing: configuration
    10:44:42,791 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) Finished processing: configuration, Result: ok
    10:44:42,806 DEBUG <TP-Processor3> [XmlServlet] (SESSION:6823E6F359BCD4ECC852D07F57268B1E) End processing: configuration
    Many thanks again,
    Ben

  • ISE 1.1.1 don't have certificate authority certificate anymore?

    Hi all,
    i am working on ISE 1.1.1, surprisingly i couldn't found certificate authority certifiate at certificate operation anymore.
    would it be the change on GUI? So now where i can import the CA certificate to ISE?
    Thanks
    Noel

    Hi,
    The document is pretty clear and the directions are stated here:
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/user_guide/ise_man_cert.html#wp1053515
    Thanks,
    Tarik Admani
    *Please rate helpful posts*

  • Is there an issue with incorrect tracking of data usage?

    I just upgraded from a 4gig shared plan to 6. I never went over the previous plan, but now that I have more data, I've gone over. There is no difference in how we are using our phones, and when I look at the data usage for each phone on the plan (there are 4, all different phones) the times don't make sense - in some cases it appears that data is being used in the early morning hours when we are sleeping. In other cases, the are duplicate entries for the same dates and times. What the hell is going on? I don't even dare try to call Verizon customer service b/c I know I'll be on the phone with them for hours with no resolution or explanation that makes sens to me (it makes perfect sense to them, however). Anyone else experienced this?

    Although I am not a conspiracy theorist I am reading more and more on the web that ever sense the Unlimited data went to shared or metered data, people that never exceeded data use previously are now seeing high overages. Of course Verizon will tell you nothing is wrong and it is all your problem. I can remember the old days when people were seeing phamton charges of data use at 99 cents and in the lawsuit that followed Verizon admitted it was an error. They made millions on that error but the class action settlement was peanuts. They still made millions even after admitting the practice.
    I personally do not believe that the data counters are 100% accurate. Amazing that people on unlimited that used a few gigs of data if that n ow complain of excessive data over 3, 4, and 8 GB and up. Yeah the phones that were not using a whole lot of data before are suddenly data hogs. again I am sure there is a logical reason for the data jumps.
    And no lets not just blame the users, or the device brand this situation is happening across all brand lines. Some more than others such as iPhone's but again this is all about the money.
    And don't fall for the Verizon now has plans with double data for the same price, it is a ploy to garner more business. They see this as their answer to the Sprint & T-Mobile and now AT&T plans being offered.
    You see with 99% cellular penetration Verizon and other providers have to do anything they can to get and keep customers.
    It is big business. You must expect they have ways to generate as much money out of you they can.
    Good Luck

  • Migrate SHA-1 Hash Algorithm SSL certificates to SHA-2

    HI All,
    I am hearing the news that SHA-1 certificates will be soon phased out on Chrome and Microsoft platforms. I am Ok with replacing public certificates with SHA-2 certificates.
    But I see that our internal certificates are also issued with SHA-1 algorithm. And these SSL certificates are used in LAN to access internal sites. So Do I need to get internal certificates reissued with SHA-2(256)? If so what do I need to make the
    changes on CA server to use SHA-2 algorithm.
    Thanks in advance.
    Mahi

    On 9/20/2014 1:28 AM, "Paul Adare [MVP]" wrote:
    On Sat, 20 Sep 2014 06:24:23 +0000, mahi_tweak wrote:
    Could you please let me know w.r.t to phase out of SHA1, is it required to take action for Internal (private) CA servers as well?
    Currently no. All of the current SHA1 deprecation notices from Microsoft
    apply only to public root CAs that are part of the Microsoft Trusted Root
    program.
    You should start planning to migrate your internal CAs however. At some
    point in time I think you'll find that all SHA1 certificates will be
    deprecated.
    Paul - does IE have the logic built in to know when a cert has been issued by an internal CA so that it does not flag it as unsafe? The way I see it is this is all pointless to have legacy SHA1 in your environment if the browser cant distinguish one from
    the other.
    This depends somewhat on what version of IE you are using. I urge anyone who is stuck with an older version to modernize ASAP.
    I also recommend CA servers also be the latest version. Like Paul said, SHA-1 has been deprecated and the new SHA-2 is the new flavor of the week.
    Being cynical, seems that too many problems come from suspicious efforts to make the system secure in the first place.
    Please don't pay attention to anything Vegan Fanatic has to say on this topic as he is clearly out of his depth here and has no idea what he's talking about.
    IE does not itself do certificate validation, that is passed off the certificate chaining engine that is built into the Windows OS. When the date arrives that SHA1 SSL and code signing certificates issued by roots in the Microsoft Trusted Root program are
    no longer accepted arrives, determining whether the certificate being validated chains to an internal or an external root will be determined by the certificate chaining engine and not directly by IE.
    The last sentence above makes no sense at all, and SHA2 is not "the new flavour of the week".

  • HTTPS SSL Certificate Signed using Weak Hashing Algorithm

    I am support one client for,  whom falls under Security  scans mandatory for new implementation of ASA 5520 device .  The client uses Nessus Scan and  the test results are attached
    The Nessus scanner hit on 1 Medium vulnerabilities, Could you pls review the statement and provide work around for the same.
    Nessus Scanner reports
    Medium Severity Vulnerability
    Port : https (443/tcp)
    Issue:
    SSL Certificate Signed using Weak Hashing  Algorithm
    Synopsis :
    The SSL certificate has been signed using  a weak hash algorithm.
    Description :
    The remote service uses an  SSL certificate that has been signed using
    a cryptographically weak hashing  algorithm - MD2, MD4, or MD5. These
    signature algorithms are known to be  vulnerable to collision attacks.
    In theory, a determined attacker may be  able to leverage this weakness
    to generate another certificate with the same  digital signature, which
    could allow him to masquerade as the affected  service.
    See also :
    http://tools.ietf.org/html/rfc3279
    http://www.phreedom.org/research/rogue-ca/
    http://www.microsoft.com/technet/security/advisory/961509.mspx
    http://www.kb.cert.org/vuls/id/836068
    Solution :
    Contact the Certificate Authority to have the certificate  reissued.
    Plugin Output :
    Here is the service's SSL certificate  :
    Subject Name:
    Common Name: xxxxxxxxxx
    Issuer Name:
    Common Name: xxxxxxxxxx
    Serial Number: D8 2E 56 4E
    Version: 3
    Signature Algorithm: MD5 With RSA  Encryption
    Not Valid Before: Aug 25 11:15:36 2011 GMT
    Not Valid After:  Aug 22 11:15:36 2021 GMT
    Public Key Info:
    Algorithm: RSA  Encryption
    Public Key: 00 AA AB 57 9C 74 FF E9 FB 68 E1 BF 69 90 8E D2 65 7F  DF 40
    D6 F6 29 E7 35 5E 16 FB 76 AA 03 3F 47 07 5A D0 6D 07 E0 EC
    06 7E  D4 9A 43 C6 B3 A6 93 B7 76 CC 58 31 25 36 98 04 30 E6
    77 56 D7 C3 EE EF 7A  79 21 5E A0 78 9B F6 1B C5 E6 2A 10 B5
    CB 90 3D 6D 7C A0 8D B1 B8 76 61 7F  E2 D1 00 45 E2 A1 C7 9F
    57 00 37 60 27 E1 56 2A 83 F5 0E 48 36 CC 61 85 59  54 0C CB
    78 82 FB 50 17 CB 7D CD 15
    Exponent: 01 00 01
    Signature: 00 24 51 24 25 47 62 30 73 95 37 C4 71 7E BD E4 95 68 76 35
    2E AF 2B 4A 23 EE 15 AF E9 09 93 3F 02 BB F8 45 00 A1 12 A9
    F7 5A 0C E8  4D DB AE 92 70 E4 4C 24 10 58 6B A9 87 E1 F0 12
    AE 12 18 E8 AB DF B9 02 F7  DA BE 3C 45 02 C4 1E 81 44 C2 74
    25 A2 81 E7 D6 38 ED B9 66 4C 4A 17 AC E3  05 1A 01 14 88 23
    E8 9F 3B 5C C5 B8 13 97 27 17 C3 02 5F 6E 7C DB 4C D3 65  B5
    C5 FC 94 62 59 04 E7 7E FB
    CVE :
    CVE-2004-2761
    BID :
    BID 11849
    BID  33065
    Other References :
    OSVDB:45106
    OSVDB:45108
    OSVDB:45127
    CWE:310
    Nessus Plugin ID  :
    35291
    VulnDB ID:
    69469
    and try with configure the ssl encryption method with " ssl encryption 3des-sha1 aes128-sha1 aes256-sha1 rc4-md5" but it throws the same issue.
    Here is ASA log
    7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
    7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
    7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxx/2586
    6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2586
    6|Oct 19 2011 01:59:34|725007: SSL session with client production:xxxxxxxx/2586 terminated.
    6|Oct 19 2011 01:59:34|302014: Teardown TCP connection 3201 for production:xxxxxxx/2586 to identity:xxxxxx/443 duration 0:00:00 bytes 758 TCP Reset-I
    6|Oct 19 2011 01:59:34|302013: Built inbound TCP connection 3202 for production:xxxxxxxxxxx/2587 (xxxxxxxxx/2587) to identity:xxxxxx/443 (xxxxxxx/443)
    6|Oct 19 2011 01:59:34|725001: Starting SSL handshake with client production:xxxxxxxxxxx/2587 for TLSv1 session.
    7|Oct 19 2011 01:59:34|725010: Device supports the following 4 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : RC4-MD5
    7|Oct 19 2011 01:59:34|725008: SSL client production:xxxxxxxxx/2587 proposes the following 26 cipher(s).
    7|Oct 19 2011 01:59:34|725011: Cipher[1] : ADH-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[2] : DHE-RSA-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[3] : DHE-DSS-AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[4] : AES256-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[5] : ADH-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[6] : DHE-RSA-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[7] : DHE-DSS-AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[8] : AES128-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[9] : ADH-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[10] : ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[11] : EXP-ADH-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[12] : ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[13] : EXP-ADH-RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[14] : EDH-RSA-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[15] : EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[16] : EXP-EDH-RSA-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[17] : EDH-DSS-DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[18] : EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[19] : EXP-EDH-DSS-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[20] : DES-CBC3-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[21] : DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[22] : EXP-DES-CBC-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[23] : EXP-RC2-CBC-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[24] : RC4-SHA
    7|Oct 19 2011 01:59:34|725011: Cipher[25] : RC4-MD5
    7|Oct 19 2011 01:59:34|725011: Cipher[26] : EXP-RC4-MD5
    7|Oct 19 2011 01:59:34|725012: Device chooses cipher : DES-CBC3-SHA for the SSL session with client production:xxxxxxxxxx/2587
    6|Oct 19 2011 01:59:34|725002: Device completed SSL handshake with client production:xxxxxxxxx/2587
    H

    Hi Ramkumar,
    The report is complaining that the Certificate Authority who signed the ID certificate presented by the ASA used a weak hashing algorithm. First, you need to determine who signed the certificate.
    If the certificate is self-signed by the ASA, you can generate a new certificate and use SHA1 as the hashing algorithm. To do this, the ASA needs to be running a software version that is at least 8.2(4) (8.3 and 8.4 software also support SHA1).
    If the certificate is signed by an external CA, you need to contact them and ask them to sign a new certificate for you using SHA instead of MD5.
    The links you posted have more information on this as well. Hope that helps.
    -Mike

  • Untrusted server cert chain & does not recognize the certificate authority

    I have java code that makes an ssl connection to an HTTPS server.
    The code workes fine when I connect to a server that has a
    certificate that was issued by a recognizable authority.
    But when I try to connect to our test HTTPS server which has a
    certificate that was created by ourselves for debug, I get this
    java exception: "untrusted server cert chain".
    When I connect to our test HTTPS server with a browser, I get
    this message from the browser in a popup window:
    "www.xyz.com is a web site that uses a security certifcate to
    identify itself. However netscape 6 does not recognize the
    certificate authority that issued this certificate."
    At this point I am able to accept the certificate in the popup
    window and continue.
    Question: In my java code how can I accept a certificate
    that was signed by an unrecognizable authority just like the
    browser can. Or during debug, how can I set an override
    to accept ALL certs no matter what.
    Thanks.....Paul

    You will have to import your server test certificate into your client machine keystore. By default the keystore will be the 'cacerts' file in JAVA_HOME/jre/lib/security, get your server certificate in .pem format and use keytool to import it to the client.
    keytool -import -alias <anything> -file <full path of .pem file> -keystore <full path of cacerts file>
    The keystore password is 'changeit' by default, keytool comes with the JDK.
    The reasoning behind this is to prevent the misuse of test certificates, the client has to consciously import an untrusted certificate. When you install a real certificate on your server the client will be automatically validated if bought from a trusted CA (Thawte, Verisign).
    Take a look at the java.security.KeyStore class, you can use it to view your certificate chain.
    Ronny.

  • Generate SSL cert with stronger signature algorithm such as RSA-SHA 1 or SHA 2 from Certificate Authority Version: 5.2.3790.3959

    We have a Certificate Authority (Version: 5.2.3790.3959) configured on  Windows 2003 R2 server in our environment. How do i generated SSL cert with stronger signature algorithm such as with SHA1 or SHA2
    Currently i am only able to generate SSL cert with md5RSA.

    Hi,
    Since you are using Windows Server 2003 R2 as CA, the hash algorithm cannot be changed, while in Windows 2008 and 2008 R2, changing the hash algorithm is possible.
    Therefore, you need to build a new CA to use a new algorithm.
    More information for you:
    Is it possible to change the hash algorithm when I renew the Root CA
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/91572fee-b455-4495-a298-43f30792357e/is-it-possible-to-change-the-hash-algorithm-when-i-renew-the-root-ca?forum=winserversecurity
    Changing public key algorithm of a CA certificate
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/0fd19577-4b21-4bda-8f56-935e4d360171/changing-public-key-algorithm-of-a-ca-certificate?forum=winserversecurity
    modify CA configuration after Migration
    http://social.technet.microsoft.com/Forums/windowsserver/en-US/0d5bcb76-3a04-4bcf-b317-cc65516e984c/modify-ca-configuration-after-migration?forum=winserversecurity
    Best Regards,
    Amy Wang

  • Upgrade certificate authority to SHA256 hashes

    My SBS 2011 is running for 2 years, and the certificate authority was created (quietly as part of the installation, it seems) to use SHA1 hashes and the "Microsoft Strong Cryptographic Provider". If I understand correctly, this is considered
    obsolete by today's standards of security. However, I do not see any easy-to-use guide or how-to to perform the change(s).

    Hi,
    SHA-1 certificates are being phased out very quickly and in 2017 Microsoft will stop trusting them. However a lot of browsers will start showing warning messages on these kinds of certificates in 2016. Therefore to protect yourself, ensure that you are requesting
    SHA-2 certificates and have replaced any SHA-1 certificates by the end of 2015.
    To Check whether the certificate is SHA-1 or SHA-2.
    To do that, browse to the SSL site, then open the SSL certificate. Click on the Details tab and then look for Signature Hash Algorithm. It should NOT say SHA1. Do not confuse with Thumbprint Algorithm, which will always say SHA1, no matter the type of the certificate.
    If they are SHA1, then get them rekeyed to SHA-2
    See the following article :
    http://www.cusoon.fr/update-microsoft-certificate-authorities-to-use-the-sha-2-hashing-algorithm-2/
    Binu Kumar - MCP, MCITP, MCTS , MBA - IT , Director Aarbin Technology Pvt Ltd - Please remember to mark the replies as answers if they help and unmark them if they provide no help.

  • TMG - 0x80090325 -Certificate Chain was issued by an authority that is not trusted

    Hello,
    I am having some problems with testing a OWA (SSL) rule. I get that message.
    The TMG belongs to the domain and therefore as far as I know it gets the root certificate of my CA (I have deployed a Enterprise CA for my domain).
    That is why I don't understand the message: "...that is not trusted."
    The exact message:
    Testing https://mail.mydomain.eu/owa
    Category: Destination server certificate error
    Error details: 0x80090325 - The certificate chain was issued by an authority that is not trusted
    Thanks in advance!
    Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

    Thanks Keith for your reply and apologies for the delay in my answer.
    I coud not wait and I reinstalled the whole machine (W28k R2 + TMG 2010) . I suppose I am still a bad troubleshooter, I have experience setting up ISA, TMG, PKI, Active directory but to a certain extent.
    1. Yes, I saw it when hitting the button "Test Rule" in the Publising rule in the TMG machine.
    2. No, it did not work in this implementation but it has worked in others, this is not difficult to set up, until now, hehe.
    3. You said: "...If you are seeing it when running "Test Rule" then it simply means that TMG does not trust something about the certificate that is on your Exchange Server...."
    But the certificates are auto-enrolled, and when I saw the details of the certificates they all are "valid" , there is a "valid" message.
    4. You wrote: "...Easiest way see everything is create an access rule that allows traffic from the LocalHost of TMG to the CAS and open up a web browser. Does the web browser complain?..."
    But as I said, I re-installed the whole thing because nobody jumped in here , and I needed to move forward, I hope you understand.
    5. S Guna kindly proposed this:
    If you are using internal CA,
    You need to import the Root CA certificate to TMG servers.
    Import Private Key of the certificate to Server personal
    Create a Exchange publishing Rule and Point the lisitner to the Correct certificate.
    Since you are using internal CA, You need to import the Root CA certificate to all the client browers from where you are accessing OWA
    But I think I do not have to perform any of those tasks, although I am not an expert but have worked with Certificate for one year or so.
    Luis Olías Técnico/Admon Sistemas . Sevilla (España - Spain)

  • "The certificate chain was issued by an authority that is not trusted" when migrating to SQL 2012

    Environment:
    1 Primary Site (USSCCM-Site.domain.com)
    1 CAS (USSCCM-CAS.domain.com)
    SQL 2008 R2 (USSCCM-CAS.domain.com)
    SQL 2012 SP1 CU6 (USSQL12.domain.com)
    Issue:
    We were successfully able to migrate the CAS to the new SQL 2012 server, almost without incident. When attempting to migrate the Site instance however, we are getting errors. Screenshot below.
    Attached is a copy of the log. But below is a highlight of what I think are the errors… It appears that either SQL or SCCM doesn’t like a certificate somewhere, but it is contradicting because the logs say that it has successfully tested connection to SQL.
    I am lost.
    Logs stating it can connect successfully to SQL
    Machine certificate has been created successfully on server USSQL12.domain.com.        Configuration Manager Setup                10/21/2013 10:20:10
    AM               2100 (0x0834)
    Deinstalled service SMS_SERVER_BOOTSTRAP_USSCCM-Site.domain.com_SMS_SQL_SERVER on USSQL12.domain.com.  Configuration Manager Setup    10/21/2013 10:20:10 AM              
    2100 (0x0834)
    SQL Server instance [sccmsite] is already running under the certificate with thumbprint[f671be844bf39dec7e7fdd725dc30e225991f28a].       Configuration Manager Setup    10/21/2013 10:20:10 AM        
    2100 (0x0834)
    INFO: Testing SQL Server [USSQL12.domain.com] connection ...                Configuration Manager Setup    10/21/2013 10:20:10 AM      
    2100 (0x0834)
    INFO: SQL Connection succeeded. Connection: USSQL12.domain.com SCCMSITE\MASTER, Type: Unsecure                Configuration Manager Setup    10/21/2013 10:20:10 AM              
    2100 (0x0834)
    INFO: Tested SQL Server [USSQL12.domain.com] connection successfully.  Any preceding SQL connection errors may be safely ignored.            Configuration Manager Setup    10/21/2013
    10:20:10 AM               2100 (0x0834)
    INFO: Certificate: 308202FC308201E4A003020102021011BA47041BB0609D4097BC19F5AB96B5300D06092A864886F70D01010B0500301D311B301906035504031312555353514C31322E7063756265642E636F6D3020170D3133313031373139343632345A180F32313133303932343139343632345A301D311B301906035504031312555353514C31322E7063756265642E636F6D30820122300D06092A864886F70D01010105000382010F003082010A0282010100CFAC23CEA8920051C8C24DF4E96D76D9E034931867C4DBF74F8AE863C5BDE6D1EAEAAF363F6B97DEF1D7A1FC292CB870F353D72F04472EBE3D31DCA009BD3F8C58E2AAB69C892C20598306537F5EEAA43FA6DE55D4A784CEB6FD07486AB2CC2DE1A8651648EBC31A5CD918E8ED6E184FC560B3A8B0F76F83E310BBA8C4EB27F46707E3A6377D8DD06C6808146E407EF9DB464F453798B6C1748216665884A7F2CDE03D9DA1CB4E59E67516E4F345755E35450F84F4B039642851EFFA96B22D8E77EC11C01D389989F740923B58799E34FC8F4F19CD55830FA7E786C993A08A1EEDCA87F209268CE9D5E86AC9E2A14668207721D94ACE9FACE3AA55B53507F6BF0203010001A3363034301D0603551D11041630148212555353514C31322E7063756265642E636F6D30130603551D25040C300A06082B06010505070301300D06092A864886F70D01010B05000382010100A0E33BF490B60C2B8A73BF7FA90EBB69D92DA27B439EF0569650F388EBA34B9F382CEF52DAAB543C2924E1B8DC7BEE828FB0C276330B0FF67340CBFA0CC24F47431E5272DC76C7610C290A04411036441E9822FBF8AB52B4BBE43F5FF48074BA420FF690A94D53AFCEF7AC75E2D2723520A9EF64AF06759814AE92D41CEA2F0D6CC8D9E5DEF121234F5DD97A7E886BE55F57DC0B79052A554724E8A0146C08A74AE75672FBD8C8BD6B7FCA82C1CC69906A45128CDDD1BC3985ED9603C16E712FFBAA8AA6878F853367F3E1F69E727DB96864DF6B47EBDA82659036EC82A8B04E77535CEA314D7518D02C401969C77B91C8C210C57AA991A622D679B994AEED3C               
    Configuration Manager Setup    10/21/2013 10:20:10 AM               2100 (0x0834)
    INFO: Created SQL Server machine certificate for Server [USSQL12.domain.com] successfully.    Configuration Manager Setup 10/21/2013 10:20:10 AM               2100 (0x0834)
    INFO: Configuration Manager Setup - Application Shutdown       Configuration Manager Setup    10/21/2013 10:20:10 AM         2100 (0x0834)
    INFO: Running SQL Server test query.    Configuration Manager Setup    10/21/2013 10:20:10 AM               2100 (0x0834)
    INFO: SQL Connection succeeded. Connection: USSQL12.domain.com SCCMSITE\MASTER, Type: Secure                Configuration Manager Setup    10/21/2013 10:20:10 AM              
    2100 (0x0834)
    INFO: SQL Server Test query succeeded.              Configuration Manager Setup    10/21/2013 10:20:10 AM              
    2100 (0x0834)
    INFO: SQLInstance Name: sccmsite         Configuration Manager Setup    10/21/2013 10:20:10 AM               2100 (0x0834)
    INFO: SQL Server version detected is 11.0, 11.0.3381.0 (SP1).      Configuration Manager Setup    10/21/2013 10:20:10 AM         2100 (0x0834)
    Logs saying certificate is not trusted
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:20:49 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:49
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:49 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:49 AM              
    2100 (0x0834)
    INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:49
    AM               2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:20:52 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:20:52 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:52
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:52 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:52 AM              
    2100 (0x0834)
    INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:52
    AM               2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:20:55 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:20:55 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:55
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:55 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:55 AM              
    2100 (0x0834)
    INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:55
    AM               2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:20:58 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:20:58 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:20:58
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:20:58 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:20:58 AM              
    2100 (0x0834)
    INFO: SQL Connection failed. Connection: CCAR_DB_ACCESS, Type: Secure         Configuration Manager Setup                10/21/2013 10:20:58
    AM               2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:21:01 AM              
    2100 (0x0834)
    More logs saying cert is not trusted
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:21:20 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:21:20 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:21:20
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:21:20 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:21:20 AM              
    2100 (0x0834)
    INFO: Updated the site control information on the SQL Server USSQL12.domain.com.    Configuration Manager Setup                10/21/2013 10:21:39 AM              
    2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted. Configuration Manager Setup    10/21/2013 10:21:39 AM              
    2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]SSL Provider: The certificate chain was issued by an authority that is not trusted.        Configuration Manager Setup   
    10/21/2013 10:21:39 AM                2100 (0x0834)
    *** [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection                Configuration Manager Setup    10/21/2013 10:21:39
    AM               2100 (0x0834)
    ERROR: SQL Server error: [08001][-2146893019][Microsoft][SQL Server Native Client 11.0]Client unable to establish connection         Configuration Manager Setup    10/21/2013 10:21:39 AM              
    2100 (0x0834)
    *** Failed to connect to the SQL Server, connection type: CCAR_DB_ACCESS.    Configuration Manager Setup                10/21/2013 10:21:39 AM              
    2100 (0x0834)
    CSiteSettings::WriteActualSCFToDatabase: Failed to get SQL connection                Configuration Manager Setup               
    10/21/2013 10:21:39 AM               2100 (0x0834)
    CSiteSettings::WriteActualSCFToDatabaseForNewSite: WriteActualSCFToDatabase(USA) returns 0x87D20002                Configuration Manager Setup    10/21/2013 10:21:39
    AM               2100 (0x0834)
    ERROR: Failed to insert the recovery site control image to the parent database. Configuration Manager Setup                10/21/2013 10:21:39 AM              
    2100 (0x0834)
    Troubleshooting:
    I have read on a few articles of other people having this issue that states to find the certificate on SQL 2012 that’s being used and export it to the SCCM server – which I’ve done.
    http://damianflynn.com/2012/08/22/sccm-2012-and-sql-certificates/
    http://trevorsullivan.net/2013/05/16/configmgr-2012-sp1-remote-sql-connectivity-problem/
    http://scug.be/sccm/2012/09/19/configmgr-2012-rtm-sp1-and-remote-management-points-not-healthy-when-running-configmgr-db-on-a-sql-cluster/
    -Brad

    Hi,
    How about importing certificate in the personal folder under SQL server computer account into SCCM server computer account or SCCM server service account? That certificate is for SQL Server Identification. And you could
    set the value of the ForceEncryption option to NO. (SQL Server Configuration Manager->SQL Server Network Configuration->
    Protocols for <server instance>->Properties)
    Best Regards,
    Joyce Li
    We
    are trying to better understand customer views on social support experience, so your participation in this
    interview project would be greatly appreciated if you have time.
    Thanks for helping make community forums a great place.

Maybe you are looking for

  • Error calling web service

    Hello experts, I've a function module (copy from SAP standard BAPI), it is remote enabled. From that FM, I generated a Web Service. Afterwards, I did the necessary steps in both WSADMIN en WSCONFIG. When I try to open it in an Internet Explorer sessi

  • Flash player working fine on adobe's website but cannot be detected by facebook games.

    I know this has been posted several times but i have yet to see a solution to this problem yet. Does anyone have the fix to it til date? I'm running a windows XP and flash player does not run on all three browsers, IE, Firefox and chrome. I have trie

  • I forget the answers of my secret question

    I Forget my answers for my secret question and the link for reset the questions didn't appear i hope to send the link to my email until i can reset my answers to i hope to fix this problem for me <Email Edited by Host>

  • Is Samsung Galaxy Ace compatible with Macbook Pro?

    Hi everyone.  I am interested in buying a Samsung Galaxy Ace (Android 2.2 Froyo) but I dont have any idea if its Mac-compatible.  I tried searching the net for answers but can seem to find anything so far... Hope you can help me with this issue guys.

  • My iTunes Store Isn't Showing Newest Items Posted

    My iTunes store is not showing the latest products posted. My roommate went onto her iTunes and all the new stuff was showing on hers. Anyone know why my iTunes is not showing updated posts? I have the current version of iTunes. Any help would be gre