Certificate authority is not installed

Similar Messages

• Certificate Authority is not being seen by windows server 2003 machines

  Good Afternoon,
  We recently installed a certificate authority using windows server 2008 r2. There was an old certificate authority that had went bad and the role could not be uninstalled on the bad server. The new certificate authority works with windows 2008 machines but
  does not work with server 2003 machines. Mainly trying to get the domain controller certificate. At first it was stating that the rpc was unavailable for the CA. I tried to delete the remnants under the sites and services role of the old server. The error
  now it states that it can not find a certificate authority. As stated above the newer machines (Server 2008)  can see the certificate authority and request certificates but older machines cant. Any assistance on what to do next will be greatly appreciated.
  Attached is the error I receive when trying to request a certificate through the CA mmc.
  dmg

  It is possible to change the hash algorithm a CA uses  to support XP and 2003 "out of the box" without the hotfix.
  But it would be better to have two CAs in parallel - one using a more modern algorithm and a CA supporting a "legacy" algorithm - and the latter should only be used as long as there are clients that aren't able to validate the other algorithms.
  On the CA, start regedit and locate the following registry key:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<Your CA>\CSP
  I am assuming that the Software CNG provider is used with SHA256 or higher (not with SHA1).
  Change CNGHashAlgorithm to SHA1 and restart the CA service.
  The setting can be reverted by changing the value back. All certificates and all CRLs signed by this CA will use the new hash algorithm after the restart.

• "Symantec Class 3 EV SSL CA - G2" intermediate Certificate Authority is not trusted by Firefox ?

  ''locking as duplicate of [https://support.mozilla.org/en-US/questions/1014430 /questions/1014430]''
  Hallo
  We recently purchased a certificate from Symantec. It's intermediate authority is Symantec Class 3 EV SSL CA - G2, but Mozilla firefox doesn't seem to trust it. Other browsers (IE and Chrome) have the certificate chain trusted. Is there a way to add this certificate chain in Firefox, because many of our clients using Firefox are complaining and asking about our site's security.

  hello JKlecherov, firefox shouldn't give any error, when the intermediary certificate is properly linked to the root ca. please refer to symantec's documentation how to install it on your server or you can also use their tool at https://ssltools.websecurity.symantec.com/checker/views/certCheck.jsp

• Certificate authority does not start on migrated 2012R2 server

  I have migrated the root CA from windows 2003 to 2012R2 according to TechNet instructions
  http://technet.microsoft.com/en-us/library/ee126140(v=ws.10).aspx
  The service does not start.
  The error shown is:
  The dependency service does not exist or has been marked for deletion. 0x433 (WIN32: 1075 ERROR_SERVICE_DEPENDENCY_DELETED)
  In the event log:
  The Certificate Services service depends on the following service ProtectedStorage. This service might not be installed.
  Thanks,
  James.
  James.

  Hi Mark,
  Thanks for helping me out here.
  The CA is enterprise, has the same name and there is no hardware module. It is not on a Domain Controller. Its history is that it was a Windows 2000 CA that was upgraded to 2003 using a similar method (many years ago). There has been no customisations
  or any changes from the default values.
  I think I found the mistake I made. When I had edited the registry settings backup file, I had only changed file locations. I needed to also go through all the settings and delete those from the file that are not listed on the document. There was one setting
  about dependent services that should not have been brought over to the new service. After I did this, the service started ok.
  I also found I made another mistake, that I had not backed up the certificate templates from the old server and so could not restore them to the new server. When I go to the CA manager and click on Certificate Templates, it shows an error "Template
  information could not be loaded".
  Do you know if this is important?
  Do I need to get the old templates or can I create new ones? We have not customised anything. I did not connect the new CA to the network yet, so it can not access AD.
  That step is in another document for "preparing to migrate". Of course I googled straight into the "Migrating.." document, so missed it from my work list.
  Regards,
  James.
  James.

• Windows Server 2008 R2 Standard "Certificate Authority Service" / Exchange Server 2010 EMC not starting and no AD connectivity for authentication.

  Hello,
  I am a new IT Manager at this company and need assistance big time. Their environment looks as follows:
  Server 1. Domain Controller Server (Windows Server 2008 R2 Standard) running active directory.
  Server 2. Email Server (Windows Server 2008 R2 Standard) running Exchange Server 2010 .
  * Note. No back ups to work with aside from whats mentioned below.
  DC had a virus infection causing a lot of issues on the shared network drives 2 days ago locking up all the files with a crypto ransom virus. Running Avast suppressed the infection. Had to recover the file shares which luckily had a back up. 
  The issue is that the Exchange Server 2 post this lost connectivity with the AD Server 1. Exchange Server 2 when launching EMC could not launch the console stating the following:
  "No Exchange servers are available in any Active Directory sites. You can’t connect to remote
  Powershell on a computer that only has the Management Tools role installed."
  Shortly after I found that it is possible the EMC launcher was corrupt and needed to be reinstalled following another blog post. I deleted the exchange management console.msc  per instructions only to discover I couldnt relaunch it because there was
  no way how. So I copied another msc file that happened to be on the DC Server 1  back to Exchange Server 2 and got it to launch again. 
  Another post said that it might be an issue with the Domain Account for the Computer, so to delete it in the AD Server 1 only to find that rejoining it from Exchange Server 2 using Computer>Properties> Chage Settings > Change is greyed out because
  it is using the Certificate Authority Service.
  I tried manually re-adding the computer in AD and modeling permissions after another server in group settings but no go. After this I was unable to login to the Exchange Server 2 with domain accounts but only local admin, receiving the following Alert:
  "The Trust Relationship between this workstation and primary domain failed."
  I tried running the Power Shell tools on Exchange Server 2 to rejoing and to reset passwords for domain accounts as noted in some other blogs but no luck as the Server 2 could not make the connection with Server1 or other errors it kept spitting out.
  I also during the investigation found the DNS settings were all altered on both the Server 1 and Server 2 which I luckily was able to change back to original because of inventorying it in the beginning when I started. 
  I need help figuring out if I need to rejoin the Exchange Server 2 manually by disabling the Certificate Authority Service (or removing the CA as listed here:
  https://social.technet.microsoft.com/Forums/exchange/en-US/fb23deab-0a12-410d-946c-517d5aea7fae/windows-server-2008-r2-with-certificate-authority-service-to-rejoin-domain?forum=winserversecurity
  and getting exchange server to launch again. (Mind you I am relatively fresh to server managing) Please help E-Mail has been down for a whole day now!
  Marty

  I recommend that you open a ticket with Microsoft Support before you break things more.
  Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

• Untrusted server cert chain & does not recognize the certificate authority

  I have java code that makes an ssl connection to an HTTPS server.
  The code workes fine when I connect to a server that has a
  certificate that was issued by a recognizable authority.
  But when I try to connect to our test HTTPS server which has a
  certificate that was created by ourselves for debug, I get this
  java exception: "untrusted server cert chain".
  When I connect to our test HTTPS server with a browser, I get
  this message from the browser in a popup window:
  "www.xyz.com is a web site that uses a security certifcate to
  identify itself. However netscape 6 does not recognize the
  certificate authority that issued this certificate."
  At this point I am able to accept the certificate in the popup
  window and continue.
  Question: In my java code how can I accept a certificate
  that was signed by an unrecognizable authority just like the
  browser can. Or during debug, how can I set an override
  to accept ALL certs no matter what.
  Thanks.....Paul

  You will have to import your server test certificate into your client machine keystore. By default the keystore will be the 'cacerts' file in JAVA_HOME/jre/lib/security, get your server certificate in .pem format and use keytool to import it to the client.
  keytool -import -alias <anything> -file <full path of .pem file> -keystore <full path of cacerts file>
  The keystore password is 'changeit' by default, keytool comes with the JDK.
  The reasoning behind this is to prevent the misuse of test certificates, the client has to consciously import an untrusted certificate. When you install a real certificate on your server the client will be automatically validated if bought from a trusted CA (Thawte, Verisign).
  Take a look at the java.security.KeyStore class, you can use it to view your certificate chain.
  Ronny.

• Unable to Install Root CA Certificate - Certificate cannot be verified up to a trusted certificate authority.

  Hi,
  I am trying to install CA root certificate on Windows 7, IE 9.
  Encounter error: "Untrusted Certificate".  "This certificate cannot be verified up to a trusted certificate authority."
  I have tried to install the certificate to Trusted Root Certificate Authorities->local computer and import was successful. BUT on IE->Internet Options->Certificate->Trusted Root Certificate Authorities, I am unable to find this root CA on
  the list.
  On mmc->Certificates->Trusted Root Certificate Authorities->certificates, I am able to view this root CA.
  I then restarted the IE and view the ssl site again but failed too, "Untrusted Certificate".
  Anyone, any idea ?
  Regards,
  Eye Gee

  Hi,
  If you install the certificate but then cannot see it please read the following KB article:
  You cannot view certificate information in Windows Internet Explorer 7 or in Certificate Manager after you successfully import a certificate on a Windows Vista-based computer(although it applies to Windows Vista)
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;932156
  This is also because of this: Microsoft Security Advisory: Update for minimum certificate key length
  http://support.microsoft.com/kb/2661254
  To get rid of the error, you can self-signed certificate for a secured website in Internet Explorer.
  To do this, follow these steps:
  1. In Explorer Options, add the URL to your trusted sites. Exit Explorer.
  2. In Windows Internet Explorer, click Continue to this website (not recommended).
   A red Address Bar and a certificate warning appear.
  3. Click the Certificate Error button to open the information window.
  4. Click View Certificates, and then click Install Certificate.
  5. On the warning message that appears, click Yes to install the certificate and place it in your trusted certificates authority.
  6. Exit Explorer then open the page again. Error should be gone.
  I also would like to suggest you refer to the link below to learn more about certificates:
  Certificate errors: FAQ
  http://windows.microsoft.com/en-HK/internet-explorer/certificate-errors-faq#ie=ie-11
  Understanding Certificate Revocation Checks
  http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx
  Hope it helps.
  Regards,
  Blair Deng
  Blair Deng
  TechNet Community Support

• Every time I launch Firefox it pops up an error stating "Firefox could not install this item because "install.rdf" (provided by the item) is not well-formed or does not exist. Please contact the author about this problem."

  Firefox could not install this item because "install.rdf" (provided by the item) is not well-formed or does not exist. Please contact the author about this problem.
  The statement above is in the pop up error box every time, when I launch Firefox. If I click ok in the box Firefox then opens. How do I fix this initializing/launch problem?

  Start Firefox in [[Safe Mode]] to check if one of your add-ons is causing your problem (switch to the DEFAULT theme: Tools > Add-ons > Themes).<br />
  See [[Troubleshooting extensions and themes]] and [[Troubleshooting plugins]]
  If it does work in Safe-mode then disable all your extensions and then try to find which is causing it by enabling one at a time until the problem reappears.<br />
  You can use "Disable all add-ons" on the [[Safe mode]] start window to disable all extensions.<br />
  You have to close and restart Firefox after each change via "File > Exit" (Mac: "Firefox > Quit"; Linux: "File > Quit")<br />

• Hi! I've got CS3 Design Standard - the actual disks and Software License certificate. It was installed on my laptop which crashed and could therefore not be uninstalled. I have now installed it on my new MacBook Pro, but cannot get it registered with the

  Hi! I've got CS3 Design Standard - the actual disks and Software License certificate. It was installed on my laptop which crashed and could therefore not be uninstalled. I have now installed it on my new MacBook Pro, but cannot get it registered with the serial number. Is it because it wasn't uninstalled on the previous laptop? What to do now?? Thx!

  Maybe this can help someone else...  I simply had to properly uninstall CS3 and reinstall it again after that.  I think that sorted it!  I also remember having a similar issue with Macs at work a couple of years back.  Not sure whether the same applies to CS5/CS6.  Here's a link on how to properly uninstall CS3 on Windows XP, Windows Vista and Mac OS.  I'm on OS X 10.9.2 but it worked just fine.  Remove Creative Suite 3 and CS3 products

• Apps not installing due to not Authorized

  Hi All,
  I've had an Ipod touch for 1 month. Already onto my second due to the white screen of doom.
  Got new one back and updated to 2.0 from 1.5. Tried to sync 1 app and get this error.
  "The application <app name> was not installed on the iPod "Ipod Name" because you are not authorized for it on this computer"
  Now this is the only computer its seen - this is the same computer I got the apps and the same computer I spent £5.99 paying for the update with. So far apple kit is super flaky and the helpful 5 R's is just stupid. Now starting to look at the receipt to spend it back.

  I have seen the same message in iTunes for some purchased music and all I had to do was authorize my computer and message went away.
  Once because I had changed my login due to a new email address I changed it on the apple site but forgot to change it in iTunes.
  Another time iTunes just forgot that I was Authorized to do such things and I needed to remind it.

• Help! Having a problem exporting - iBooks Author tells me iTunes Producer is not installed, but it is... How do I fix this???

  Hi,
  I have finished a book, go through the "publish" process, it starts the export, but at the end gives me a warning message that iTunes Producer is not installed on my Mac, but it is, window open, logged in and all.  The error message refers me to the iTunes page to download it, and that's that.  I can't import the iBook file into the Producer (guess its not the right type of file).
  I'm stuck!  Help!
  thanks
  P

  OsX Mountain lion 10.8.5, ibooks author 2.0 and producer 3.0
  thx
  P

• Certificate Authority - Custom Temp not showing up. W2k8R2ent

  Hi Guys,
  Couldn't see a forum for CA so I had to post it here. Hopefully its the right place.
  (Server is test domain 1 single ad no replication. Running Win 2k8 r2 enterprise)
  So here's the issue I am trying to create and export certificate for other users (eobo).
  It works fine. But I want to do this throught certreq and in order to do that i have to creat custom cert which i did by duplicating User template.
  The new template CopyOfUser i changed(of confirmed) following settings:-
  General Tab = Publish Cert in Active Directory
  Request Handling = Allow private key to be exported & Enroll subject without req any input
  Security : I am logging as domain administrator and it has  Read/Write/Enroll
  Issurance Req: This number of authorized signature = 1
  & Application Policy & Client Authentication.
  Subject Name : Build from AD (Fully Distinguished name)
  Selected boxes : Include email name / Email name / UPN
  Now problem is i cannot see the custom template on Enable Certificate Templates.
  I am very new to CA so I am sure i am missing something or doing something wrong.
  Would love some help.

  Hi,
  I’d suggest if the steps below doesn’t help to remove the CA. Make sure you are using Enterprise Edition (no upgrade from 2K3 or 2K9 standart) of windows
  and install it again as Enterprise Root CA. Check and see if you still have the issue before tweaking the CA further:
  Open ADUC and check navigate to [Buildin > users > properties > members] and make sure the fallowing security groups are present.
    - Authenticated users
   - Domain Users
   - Interactive
  Open ADSI Edit and navigate to
  [Domain Naming context > DC=<DomainNAme>, DC=<DomainNAme> > CN=Users > CN=Cert Publishers > properties > security ]
   and give [Read] and [write]
  permissions to [Authenticated users] group
  Restart the CA.
  Check permissions on the CA:
  Open the [Certificate Authority] console and right click on [properties > Security] and add the fallowing permissions:
  [Authenticated Users]
  [V] Request Certificates
  [Domain Admins]
  [V] Read
  [V] Issue and Manager Certificates
  [V] Manage CA
  [V] Request Certificates
  [Enterprise Admins]
  [V] Issue and Manager Certificates
  [V] Manage CA
  [Administrators]
  [V] Issue and Manager Certificates
  [V] Manage CA
  [V] Request Certificates
  [Domain Controllers]
  [V] Read
  [V] Issue and Manager Certificates
  [V] Manage CA
  [V] Request Certificates
  [Domain Computers]
  [V] Read
  [V] Request Certificates
  Will appreciate if you give feedback if this has helped you. If yes please select “Mark
  as answer”.
  Best Regards,
  Spas Kaloferov
  MCITP: SA6 | EA6 | VA7 | EDA7 |DBA10 | DBD10 | BID10 | EMA14 | SPA14 
  NetShell Services & Solutions | “Design the future with simplicity and elegance”
  Visit me at:
  www.spaskaloferov.com
  |
  www: www.netshell-solutions.com

• I'm getting an error message: The app "Pages" was not installed on the iPhone "Mom's iPhone" because you are not authorized for it on this computer

  Everytime I sync my iPhone it gives me the warning:  The app "Pages" was not installed on the iPhone "Mom's iPhone" because you are not authorized for it on this computer.
  Pages was installed when I initially purchased it for my iPhone, but when I got the 4S recently I got the above message.  I tried deauthorizing and then reauthorizing, but it didn't help.  The Install/Will Install option is there, but gets me the same message.  (And I did hit the Apply button)

  Agh! I figured out I had two apple id's and was able to install Pages from that account.  Dumb! :/

• Help I need help. i get this message'Firefox could not install this item because "install.rdf" (provided by the item) is not well-formed or does not exist. Please contact the author about this problem.' How do i fix this?

  Firefox could not install this item because "install.rdf" (provided by the item) is not well-formed or does not exist. Please contact the author about this problem.
  Well that is the message i get. I can still use firefox(version3.6.8)

  You get that error if an extension is using an old and no longer supported method to install a plugin.
  Which plugin are you trying to install?
  See also http://kb.mozillazine.org/Unable_to_install_themes_or_extensions

• The app was not installed on the iPod because you are not authorized for it on this computer

  Im trying to put a game onto my iPod touch but a message popped up saying "The app was not installed on the ipod because you are
  not authorized for it on this computer. So i tried to look for an answer to this problem and i found one saying you have to go into store
  at the top and authorize so i did and it says ive already authorized it cuz i did it last night please help ME
  P.S. I restored it last night just saying to see if maybe it has something to do with that?

  You need to authorize the account on the computer:
  Store>Authorize ths computer
  Hope this helps