Mail Certificate issue

Just opened Mail and had the following warning. Any clues ?

I'm having the same problem. Running 10.6.8 on:
Model Name:    iMac
Model Identifier:    iMac9,1
Processor Name:    Intel Core 2 Duo
Processor Speed:    2.93 GHz

Similar Messages

How do i deal with 'security certificate' issues on my iPad2? I'm unable to answer the security questions that pop up when Im trying to download an app because the pop up does not load properly...

Basically my Ipad2 stopped allowing me to go to sites such as Tumblr a little while ago. It wouldn't display the page properly because of 'security certificate' issues. This in itself would not have been such a problem, but when I went to the App store to try and download the Tumblr App, a pop up appeared asking me to answer some security questions before I could successfully install the App. However, the pop up would not display correctly because of 'security certificate' issues and as a result I can't download any apps from the App Store. Can anyone help with this??

Well, I maged to delete some stuff, download the update...
My Mac mail is still not ok. Still only displays today, yesterday and everything is the 16th of the month previous to this?
All a bit strange to say the least any suggestons on how to resolve this.
I now have a second issue in all my emails at the very top of each it describes in detail the full information of
          Delivered-To:
          Received:
          Received:
          Received:
          Received:
          X-Received:
          Return-Path:
          Received-Spf:
          Authentication-Results:
          Content-Type:
          Mime-Version:
          X-Mailer:
          X-Cloudmark-Analysis:
Surely this should not be displayed rather insecure I would think. Any suggestions on how to amend

Safari/Mail certificate problem with gmail/google

Here is my problem:
I have set-up Mail to use my gmail account through POP. Since yesterday, when I try to get or send mail, mail gives me the error:
Unable to verify SSL server pop.gmail.com
Mail was unable to verify the identity of this server, which has a certificate issued to "pop.gmail.com'. The error was:
You might be connecting to a computer that is pretending to be "pop.gmail.com', and putting your confidential information at risk. Would you like to continue anyway?
I then have the option to show the certificate,cancel or continue. If I hit Continue, nothing happens and mail set itself to offline. If I force Mail back online (Menu Mailbox/Go Online), when it goes on the next automatic check, it turns back offline. After hours of google search, I also tried the option to show the certificate, then drag the icon of the certificate to the desktop, then open the certificate with Keychain in order to add it to the keychain but this did not work for me, keychain refused to open it and if I double-click it on the desktop it opens as a clipping content. If I change the typre/creator to force Keychain to open it, then I got an error "Unable to import an item".
I then tried to access gmail within Safari (not through POP) and I got this error when I tried to login:
Safri cannot establish a secure connection to www.google.com
At the same time, I had no problem to access it with Firefox. Back to google search, I tried to use Safari debug menu to set the security to "Performs Lax Certificate Checks" and then I could access my gmail with Safari. However the problem persists in Mail.
I believe this is a system-wide certificate issue (Firefox not affected because of a diffrent handling of certificates?not much knowledge about certificates). I tried all the standard troubleshooting:
re-boot, logoff, repair permissions, reapply latest security updates, reapply latest OS update, reset Safari, clean-up caches, discarded all mail preferences,clear-up keychain of any google/gmail.
Finally I also found in my searches to try ro download a certicate from Thawte (ThawtePremiumServerCA.cer) and add it to my keychain but this does not solve the problem.
Help will be greatly appreciated
System info: iMac G5 1.6, 1Gb RAM, OS X 10.3.9 (everything up to date according to Software update), internet connection through Airport extreme base station.

Are you saying that this is a well-recognised issue?
Can we assume that the reason for not fixing it is that Nokia want people to use Nokia Messaging instead? It came free with my phone and I did try it. It connected & synchronised well but contacts in headers kept appearing in quotes ("") and when I checked my email from my main IMAP client my sent items included incomplete versions of my emails as well as the finished email - as if it was sending drafts.
I guess I'm sticking with MfE for calendar and IMAP for email...

E-mail certificate import

am unable to import e-mail certificate to set-up SMIME as import utility does not allow me to type the correct password when importing the certificate.only has the numeric options.
certificate was exported from IE on windows 7 platform with the private key included in p12 format.

Hey there, Mike.
Did you ever secure a good answer to this inquiry? If not, I believe that the underlying certificate management framework handles that for you. If I understand things correctly, the Certificate Authority issued the Digital ID that is associated
to a specific email account. I too run multiple email accounts in my outlook client, and if I try to sign an email that is being sent from an account that is different than the one that the Digital ID is for, the client tosses an error dialog indicating
that the digital id is not valid for said account. As such, I think that your concern is mitigated by default.
The hurdle is configuring the client to try to use the certificate only when sending emails from the account associated with the Digital ID. I ended up, in Trust Center|Email Security defaulting to signing each email and then I customized the ribbon
to put the sign/encrypt buttons on the default MESSAGE tab, as reflected here: http://i.imgur.com/z37sj5j.png (note the permission section on the far right).
That way, if I am going to send from an account that is not associated with the Digital ID, then all I have to do is to stroke the Sign button once to tell the client not to attempt to sign said email being composed.
Hope that helps, if you're still looking for a resolution.
What brought me to this thread is my desire to know if Outlook, and the underlying OS, supports multiple Digital IDs. As I drafted this, I talked myself into acknowledging that it probably does by being able to import multiple certificates and then
relying on the integration between the client and host OS to handle selecting which ID/Certificate is appropriate for use when a specific email is composed and sent (based on the originating account) with Signing (& Encryption) enabled. I am going
to get another Digital ID and put the theory to test. I suspect that it'll be intuitive and work just like one would expect. Wish me luck.
Take care.
-t

Reward certificate issue last year and never received

I enrolled in the rewards program last year with a large purchase. This enrollment was in store at the time and I did not provide an email address. I logged in sometime after I enrolled and noticed that I had a $20 certificate issued a week or so after my purchase. I read that these are sent to the email address on file, but I did not have one enrolled. If it was mailed out I did not receive this either.
A second part of this is, when I attempt to go to the email address section on my account it says, "We're sorry. Your email address is currently unavailable."
Is it possilbe to get the points back since I did not have an email address enrolled?
Thanks!

Hello kjeldoran2015,
Welcome to the Best Buy forum!
While an email should be sent out each time points are converted into a certificate, we cannot guarantee the delivery of any emails. There are times where outside factors beyond our control may prevent an email from being delivered. Either way, you would not have needed to receive an email in-order to redeem the $20 certificate because we can look up active certificates in any of our store registers and apply them to a purchase.
As you may read on the forum, a certificate will expire 60 days after it was issued unless noted otherwise on the actual certificate. The $20 certificate in-question cannot be reissued if it has officially expired, per the Program Terms. I am going to send you a private message so that I can go over your account with you to ensure everything is up-to-date. To check your private messages, you will want to login to the forum and click on the yellow envelope at the top.
I hope you have a great day, and thank you for being a My Best Buy™ member.
Derek|Social Media Specialist | Best Buy® Corporate
Private Message

Certificates issued by communications server for client authentication

Hi,
we ran into problem with those certificates, that are being issued by the lync server itself. In our enteprise we have CX600 and CX3000 phones, and i know that certificate authentication is required for the phones to work (both for registrar and webservice).
However, now that users have lync installed, they have their communications server certificate assigned as well. The problem is when a user needs to sign a document with the certificate from our private CA, for most of the users, word or excel suggests to
use a certificate issued by communications server, not our ent CA. Maybe there is a way for LYNC to trust private enteprise CA and not give out its own certificates and STILL use certificate authentication?
Thanks!

Facing almost the same issue, Lync (server) issues ClientAuth certs from "Communication Server", (btw
is not trusted of course), and in turns forces users to make a selection of which VPN cert to use when dialing in, instead of only one ClientAuth cert installed, they now have 2 ClientAuth certs installed, which our internal CA's should care about and NOT
the Lync (server).
Don’t get how an MS product of this caliber can be built without proper PKI integration, how can it NOT utilize internally issued certs for client authentication???
Not the first though, SCCM and OSD is another example....
However, are you saying that Lync communication can’t be used without certificate authentication,
without the user being spammed with credential prompts?
Trying to get clarification on this…

Checklist for Exchange Certificate issues

Checklist for Exchange Certificate issues
1.
Why certificate is important for Exchange and What are Certificates used for
Exchange is now using certificates for more than just web, POP3, or IMAP. In addition to
securing web services, it has also incorporated Transport Layer Security (TLS) for session based authentication and encryption.
Certificates are used for several things on Exchange Server. Most customers also use certificates
on more than one Exchange server. In general, the fewer certificates you have, the easier certificate management becomes.
IIS (OWA, ECP, EWS, EAS, OA, Autodiscover, OAB, UM)
POP/IMAP
SMTP
2.
Common symptoms for
certificate issue
Here we can see three different types of the certificate warning, mainly from the Outlook
side.
a.
Certificate mismatch issue
b.
Certificate trust issue
c.
Certificate expiration issue
3.
Checklists
In this section, checklists will be provided according to the three different scenarios:
Certificate Mismatch Issue
[Analysis]:
This issue mainly occurs because the URL of the web services Outlook tries
to connect does not match the host name in the certificate.
[Checklist]:
Firstly make sure how many host name in your certificate the certificate. Run “Get-ExchangeCertificate | select certificatedomain”.
Secondly, check the web services URLs which Outlook are trying to connect to. Run “Test Email AutoConfiguration”
In this scenario, you need to check the host name for the following services:
Autodiscover
EWS
OAB
ECP
UM
If any of the urls above does not match the one in the certificate, refer to the following article to change
it via EMS:
http://support.microsoft.com/kb/940726
1.
Do not forget to restart the IIS service after applying the changes above.
2. Make sure a valid certificate is enabled on the IIS service.
Certificate Trust Issue
[Analysis]:
For the self-signed and PKI-based (Enterprise)
certificates, they are not automatically trusted by the client computer or mobile device, you must make sure that you import the certificate into the trusted root certificate store on client computers and devices. On the other hand, Third-party or commercial
certificates do not have this problem. Most commercial CA certificates are already trusted because the certificate already resides in the trusted root certificate store. Because the issuer is trusted, the certificate is also trusted. Using third-party certificates
greatly simplifies deployment.
[Checklist]:
If it’s an Enterprise CA certificate, manually install the root certificate to the “Trusted Root Certification Authorities” folder:
If it is a 3<sup>rd</sup>-party certificate, first remove and reinstall the certificate. Check whether the Windows Certificate Store on the local
client is corrupted. If it still does not work, please contact the third-party CA support to verify the certificate.
Certificate Expiration Issue
[Checklist]:
When a certificate is about to expired, we just need to renew it by referring the following article:
Renew an Exchange Certificate
http://technet.microsoft.com/en-us/library/ee332322(v=exchg.141).aspx
To avoid any conflictions, it’s recommended to remove the expired certificate from the certificate store.
[How to set a reminder to alert the administrator when a certificate is about to expired]:
It’s easy to fix the certificate expire issue. But it should be more important to set a reminder before the
certificate expiration. Or there can be a large user impacts.
Generally, the Event ID “^(24|25)$” will appear in Application log when a certificate is about to expire.
If it’s not quite visible, we can refer to the following solution:
http://blogs.technet.com/b/nexthop/archive/2011/11/18/certificate-expiration-alerting.aspx
OWA certificate revoked issue
[Analysis]:
IE
includes support for server certificate revocation which verifies that an issuing
CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions
are present. If the URL for the revocation information is unresponsive, IE cancels the connection.
[Solution or workaround]:
1. Contact CA provider and check whether the questioned certificate is in the Revoked List.
2. If not, check whether the certificate has a private key.
3. Remove the old certificate and import the new one.
Workaround:
IE Internet Options -> Advanced tab -> Clear the "Check for server certificate revocation"
checkbox.
4.
More References
Digital Certificates and SSL
http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx
More on Exchange 2007 and certificates - with real world scenario
http://blogs.technet.com/b/exchange/archive/2007/07/02/3403301.aspx

(Reported previous post with link to SIS package to moderator)
This is not the correct SIS package for the N73. The package shown is for S60 3.2 devices, but the N73 is not S60 3.2, I believe it is S60 3.0.
Most features may work with this SIS, but if you experience strange problems, try using the S60 3.0 version.
But there are no significant difference between 2.5.3 and 2.5.5 with regard to attachments. The only changes were with localization (languages).
At this point, try 2.7.0 which is out now:
http://businesssoftware.nokia.com/mail_for_exchange_downloads.php
Make sure to pick the right phone on the drop down list. It does matter! There are 4 different packages. This list makes sure you get the right one.
I have seen some issues with attachments not completing that seem to be carrier dependent. You can test this my using Wifi (if possible).
Message Edited by m4e_team_k on 28-Sep-2008 12:25 AM

CF7 and JDK 1.4.2 - EV SSL Certificate Issue

Let me start off by telling the group that we do not use CF for any of our applications. We are a payments company that hosts a .NET API in IIS that 100's of thousands of customer use. We have one particular customer using CF7 and JDK 1.4.2 who is currently unable to process against our API. About a week ago we upgraded our SSL certificates to EV (Extended Validation) and since that time our once happy customer is now unhappy. I have spent hours working with him, going through FAQs and walk throughs, knowledge bases and forums and have had no luck. Here are the details:
EV Certificate issued by DigiCert (4096-bit).
Customer is on CF7 and JDK 1.4.2.
When he attempts to process against our API with the new certificate he gets 'Connection Failure: Status code unavailable' message from his CF application. He is using cfhttp to post his requests. We found a work around that indicated that the only issue with JDK 1.4.2 was importing the high-bit certificates. Our customer installed JDK 1.6, imported the certificate (and all intermediate certificates) successfully into the cacerts file, but when attempting to list using JDK 1.4.2 is returns an invalid certificate error and still will not work.
Please help as we are currently in a work around state for this customer (not long term) and we have exhausted the resources we have access to for solving this issue.
Thanks in advance to those gurus that reply. I have attached a sample post from our customers logs with non-essential data removed.
I can be reached by phone at 801-341-5620 if anyone feels like reaching out to talk.
- Dave

Dave,
I am having a similar issue with CF7 and PayPal's Reporting API which also uses EV SSL.
I can offer that in my testing, both CF 8 and CF 9 do seem to be able to work when using CFHTTP and EV SSL,
so the only solution I can offer at this time is to make the suggestion to your customer that they need to upgrade
to either CF 8 or CF 9 to get the issue quickly resolved.
I'm still working to see if I can find a solution for CF7 and I've been asking around in the CF community for help, so
if I do find a solution, I'll definitely post it there for you.
Cheers

How to fetch certificates issued in past

Hi,
I have a long list of templates issued in my Client's Issuing CA, some of them are not in use. If I try to export " Issued Certificates" list from CA, it hangs.
I want to know how many certificates and last certificate issed from a specific template for fine-tuning and seggregation purpose. Please let me know how we can check that status.
Thanks
Neha Garg

Hi Paul,
I am getting the output like this :
C:\Windows\system32>certutil -view -restrict "certificate template=<1.3.6.1.4.1.
311.21.8.10269956.2688026.1196953.3333800.9810006.227.1092942.575204>"
Schema:
Column Name                   Localized Name                Type    MaxLength
Request.RequestID             Request ID                    Long    4 -- Index
ed
Request.RawRequest            Binary Request                Binary 65536
Request.RawArchivedKey        Archived Key                  Binary 65536
Request.KeyRecoveryHashes     Key Recovery Agent Hashes     String 8192
Request.RawOldCertificate     Old Certificate               Binary 16384
Request.RequestAttributes     Request Attributes            String 32768
Request.RequestType           Request Type                  Long    4
Request.RequestFlags          Request Flags                 Long    4
Request.StatusCode            Request Status Code           Long    4
Request.Disposition           Request Disposition           Long    4 -- Index
ed
Request.DispositionMessage    Request Disposition Message   String 8192
Request.SubmittedWhen         Request Submission Date       Date    8 -- Index
ed
Request.ResolvedWhen          Request Resolution Date       Date    8 -- Index
ed
Request.RevokedWhen           Revocation Date               Date    8
Request.RevokedEffectiveWhen Effective Revocation Date     Date    8 -- Index
ed
Request.RevokedReason         Revocation Reason             Long    4
Request.RequesterName         Requester Name                String 2048 -- In
dexed
Request.CallerName            Caller Name                   String 2048 -- In
dexed
Request.SignerPolicies        Signer Policies               String 8192
Request.SignerApplicationPolicies Signer Application Policies   String 8192
Request.Officer               Officer                       Long
4
Request.DistinguishedName     Request Distinguished Name    String 8192
Request.RawName               Request Binary Name           Binary 4096
Request.Country               Request Country/Region        String 8192
Request.Organization          Request Organization          String 8192
Request.OrgUnit               Request Organization Unit     String 8192
Request.CommonName            Request Common Name           String 8192
Request.Locality              Request City                  String 8192
Request.State                 Request State                 String 8192
Request.Title                 Request Title                 String 8192
Request.GivenName             Request First Name            String 8192
Request.Initials              Request Initials              String 8192
Request.SurName               Request Last Name             String 8192
Request.DomainComponent       Request Domain Component      String 8192
Request.EMail                 Request Email Address         String 8192
Request.StreetAddress         Request Street Address        String 8192
Request.UnstructuredName      Request Unstructured Name     String 8192
Request.UnstructuredAddress   Request Unstructured Address String 8192
Request.DeviceSerialNumber    Request Device Serial Number String 8192
RequestID                     Issued Request ID             Long    4 -- Index
ed
RawCertificate                Binary Certificate            Binary 16384
CertificateHash               Certificate Hash              String 128 -- Ind
exed
CertificateTemplate           Certificate Template          String 254 -- Ind
exed
EnrollmentFlags               Template Enrollment Flags     Long    4
GeneralFlags                  Template General Flags        Long    4
PrivatekeyFlags               Template Private Key Flags    Long    4
SerialNumber                  Serial Number                 String 128 -- Ind
exed
IssuerNameID                  Issuer Name ID                Long    4
NotBefore                     Certificate Effective Date    Date    8
NotAfter                      Certificate Expiration Date   Date    8 -- Index
ed
SubjectKeyIdentifier          Issued Subject Key Identifier String 128 -- In
dexed
RawPublicKey                  Binary Public Key             Binary 4096
PublicKeyLength               Public Key Length             Long    4
PublicKeyAlgorithm            Public Key Algorithm          String 254
RawPublicKeyAlgorithmParameters Public Key Algorithm Parameters Binary 4096
PublishExpiredCertInCRL       Publish Expired Certificate in CRL Long    4
UPN                           User Principal Name           String
2048 -- In
dexed
DistinguishedName             Issued Distinguished Name     String 8192
RawName                       Issued Binary Name            Binary 4096
Country                       Issued Country/Region         String 8192
Organization                  Issued Organization           String 8192
OrgUnit                       Issued Organization Unit      String 8192
CommonName                    Issued Common Name            String 8192 -- In
dexed
Locality                      Issued City
String 8192
State                         Issued State
String 8192
Title                         Issued Title
String 8192
GivenName                     Issued First Name             String 8192
Initials                      Issued Initials               String 8192
SurName                       Issued Last Name              String 8192
DomainComponent               Issued Domain Component       String 8192
EMail                         Issued Email Address          String 8192
StreetAddress                 Issued Street Address         String 8192
UnstructuredName              Issued Unstructured Name      String 8192
UnstructuredAddress           Issued Unstructured Address   String 8192
DeviceSerialNumber            Issued Device Serial Number   String 8192
Maximum Row Index: 0
0 Rows
   0 Row Properties, Total Size = 0, Max Size = 0, Ave Size = 0
   0 Request Attributes, Total Size = 0, Max Size = 0, Ave Size = 0
   0 Certificate Extensions, Total Size = 0, Max Size = 0, Ave Size = 0
   0 Total Fields, Total Size = 0, Max Size = 0, Ave Size = 0
CertUtil: -view command completed successfully.
but it doesnt give me the output that I am looking for. I want to know details of last certificate issued by a given template and its validity status.
Please let me know if I need to make any changes in command.
Thanks
Neha Garg

Transport Mail Database issues crashing Transport service

We are experiencing frequent issues on Hub servers (as often as once a week) where Transport Mail DB issues crash the Transport service. Had an MS specialist in the other day who could not exactly figure out the root cause. The pattern usually is as follows:
1. Event ID 486 - This event refers to a failure to move a log file (associated with Transport Mail DB queues) because it is being used by another process. What that process could be is unknown.
2. Event ID 413 - Unable to create a new logfile because the database cannot write to the log drive.
3. Event ID 492 - The logfile sequence in <dir> has been halted
4. Event ID 17019 - A database operation has encountered a I/O error. The Microsoft Exchange Transport service is shutting down. Exception details: Microsoft.Exchange.Isam.IsamLogWriteFailException: Failure writing to log file (-510)
Also followed by events 7001,1022,1002, and 1003.
Haven't been able to determine what is causing Event ID 486. Not aware of any process that would be tying up the access to the log file. These queue files are stored on a local disk, not a SAN.
Any ideas as to what could be causing this? Running E2K7SP1 Rollup 2 currently on all Exchange systems.

Hi,
I suggest that you use the following method to check which process access the log file indicated in the event 486:
Using Process Explorer
http://www.microsoft.com/technet/sysinternals/utilities/ProcessExplorer.mspx
Then, we did the following:
1. Launch Process Explorer
2. Click Find, Find Handle or DLL
3. Enter the log name indicated in the event 486 and click Search
In addition, please also check whether any events such as 150004 occur before the Transport service crashes. If you notice the event, I also suggest that you refer to the following article:
http://technet.microsoft.com/en-us/library/bb201658(EXCHG.80).aspx
Mike

In which community is it best to discuss mail.app issues?

In which community is it best to discuss mail.app issues?

You should ask in the forum for the version of OSX you are using:
OS X Yosemite
OS X Mavericks
OS X Mountain Lion
Mac OS X v10.7 Lion
Mac OS X v10.6 Snow Leopard

Clean Access Agent 4.0.5 certificate issue

Dear all,
I ran into an issue that I hope you could help me resolve.
We have NAC 4.0.5 and windows active directory domain.... the clients log on to the client to access the network with their domain credentials and they used to get the "Certificate is issued from an untrusted...." until I installed the www.perfigo.com certificate to the local certificate store...
But as I'm a newbie... I seem to have done something on the NAC manager that messed up something, cause now the client considers the certificate issued from a trusted source, BUT a warning stating that the name on the certificate does not match the name (image attached)..
What would be the possible solution to this??

Hi,
This can happen if you change IP address or hostname of the issued certificate...
Have you done any of these?
As side note, please beaware that 4.0.5 is End of Life since March 16th 2009... so you may want to consider upgrading your setup.
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5707/ps8418/ps6128/end_of_life_notice_c51-524732.html.
HTH,
Tiago

S/Mime Digital E-mail certificate failure after update 4.3. Firmware from Update Center

How can I get support?
Before this weekend I was running my Z1 fine with the E-mail client on it. I use 2 exchange activesync enabled accounts. I manually installed 2 e-mail certificates (from Comodo) in dec 2013 last year. I was able to sign an encrypt E_mails send from my Sony Z1.
Today I noticed that E-mail were unable to send and stayed in the outbox of the Sony E-mail client. I noticed that disabeling Sign E-mail fixed this. I was unable to send E-mail with a Signed and or Encrypted option. I tried several things :
- Re-installa certifcates, somehow this doesn't work, it just keeps on saysing "Certificate not installed"
- Try installing certificate from the Settings >> Security screens
- Deleted 1 Exchange account
- Initiated the Exchange account again
What happened? Can someone point me in the right direction? it worked before the 4.3. update
1: It is a bug ?
2: Is it a new way to install / deploy E-mail siging certificates?
I noticed a message saying something like, is this a certificate for App/VPN or a WiFi certificate. It doesn't mention specifically E-mail Siging.
Best Regards,
Onedutch

I placed the certificate on my external SD-card when i tested this.
What i did was that i clicked the link in the email i got from Comodo to collect and install the certificate in my PC running Windows 7 and Chrome. In the top of Chrome i clicked the option to view the certificate. This makes Windows display it. On the information tab i clicked the option to save to file (including the private key) and using default options which makes Windows save it as a *pfx with a file name that i enter myself. I then entered my password when asked.
This file i transferred to the external SD and i can install it by entering the filename and password i set for it. It then shows my email address and name of certificate.
Are you sure that you're entering the correct filename and password of the certificate? Try placing it in the root of the SD-card and check the file name using a file manager or computer.
The certificate doesn't show under Settings -> Security -> Trusted Credentials. I only see the standard certificates there.
- Official Sony Xperia Support Staff
If you're new to our forums make sure that you have read our Discussion guidelines.
If you want to get in touch with the local support team for your country please visit our contact page.

When accessing Intranet sites that use SSL Certificates issued by our internal PKI, FF for Windows give an error of "improperly formatted DER-encoded message"

When accessing Intranet sites with that have SSL Certificates issued by our internal PKI, FF for Windows gives an error messsage - An error occurred during a connection to myshaw. security library: improperly formatted DER-encoded message. (Error code: sec_error_bad_der)
Chrome and IE work fine. This is a new PKI using the SHA-2 signature algorithm.

Hi Guigs2,
From the other post you link too, I can confirm that both the Root and Subordinate CA have been commissioned with the:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\IssuingCA\CSP\AlternateSignatureAlgorithm = 1
registry key set. As can be seen above, the Signature algorithm on an issued certificate is RSASSA-PSS. This is been Microsoft suggested deployment IF you do not wish to support either XP or Windows 2003 machine and lower. In fact, I believe the option has been around since Windows 2008, however, there were of course, a lot more XP machines back then.
The obvious answer is that we would like to maintain the updated algorithm, AND see support for it added for Firefox. I think you will see a LOT more posts like this as people deploy more 2012 PKI infrastructure supporting only Windows 7 and up. Heavens, we may well be forced to Chrome or even back to IE!!! Whilst I do not what to necessary open up other potential vulnerabilities, for the sake of testing, what do you mean by disabling mozilla:pkix?

Configure Windows Server Essentials (2012R2) "Identified problem": "Certificate Issuer is installed on this server" stops the configuration

On a server 2012R2 Essentials when trying to install the essentials experience the first install works ok but the configuration allways stops with the message "Certificate Issuer is installed on this server" and no way to continue the configuration.
Windows/Logs/CBS/
2014-07-24 21:10:04, Info CBS TI: --- Initializing Trusted Installer ---
2014-07-24 21:10:04, Info CBS TI: Last boot time: 2014-07-24 18:36:03.489
2014-07-24 21:10:04, Info CBS Starting TrustedInstaller initialization.
2014-07-24 21:10:04, Info CBS Ending TrustedInstaller initialization.
2014-07-24 21:10:04, Info CBS Starting the TrustedInstaller main loop.
2014-07-24 21:10:04, Info CBS TrustedInstaller service starts successfully.
2014-07-24 21:10:04, Info CBS No startup processing required, TrustedInstaller service was not set as autostart
2014-07-24 21:10:04, Info CBS Startup processing thread terminated normally
2014-07-24 21:10:04, Info CBS Starting TiWorker initialization.
2014-07-24 21:10:04, Info CBS Ending TiWorker initialization.
2014-07-24 21:10:04, Info CBS Starting the TiWorker main loop.
2014-07-24 21:10:04, Info CBS TiWorker starts successfully.
2014-07-24 21:10:04, Info CBS Universal Time is: 2014-07-24 19:10:04.379
2014-07-24 21:10:04, Info CBS Loaded Servicing Stack v6.3.9600.17200 with Core: C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.3.9600.17200_none_fa7026dd9b04586e\cbscore.dll
2014-07-24 21:10:04, Info CSI 00000001@2014/7/24:19:10:04.379 WcpInitialize (wcp.dll version 0.0.0.6) called (stack @0x7ffd2cb360e5 @0x7ffd2de92e53 @0x7ffd2de924ac @0x7ff60b37d2df @0x7ff60b37d9e4
@0x7ffd588d2385)
2014-07-24 21:10:04, Info CBS Could not load SrClient DLL from path: SrClient.dll. Continuing without system restore points.
2014-07-24 21:10:04, Info CBS SQM: Initializing online with Windows opt-in: True
2014-07-24 21:10:04, Info CBS SQM: Cleaning up report files older than 10 days.
2014-07-24 21:10:04, Info CBS SQM: Requesting upload of all unsent reports.
2014-07-24 21:10:04, Info CBS SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_std.sqm, flags: 0x2
2014-07-24 21:10:04, Info CBS SQM: Queued 0 file(s) for upload with pattern: C:\Windows\servicing\sqm\*_all.sqm, flags: 0x6
2014-07-24 21:10:04, Info CBS NonStart: Set pending store consistency check.
2014-07-24 21:10:04, Info CBS Session: 30386034_3758808251 initialized by client WinMgmt.
2014-07-24 21:10:04, Info CBS Enumerating Foundation package: Microsoft-Windows-ServerCore-Package~31bf3856ad364e35~amd64~~6.3.9600.16384, this could be slow
2014-07-24 21:10:05, Info CSI 00000002 IAdvancedInstallerAwareStore_ResolvePendingTransactions (call 1) (flags = 00000004, progress = NULL, phase = 0, pdwDisposition = @0x172dbed940
2014-07-24 21:10:05, Info CSI 00000003 Creating NT transaction (seq 1), objectname [6]"(null)"
2014-07-24 21:10:05, Info CSI 00000004 Created NT transaction (seq 1) result 0x00000000, handle @0x25c
2014-07-24 21:10:08, Info CSI 00000005 Poqexec successfully registered in [ml:26{13},l:24{12}]"SetupExecute"
2014-07-24 21:10:08, Info CSI 00000006@2014/7/24:19:10:08.151 Beginning NT transaction commit...
2014-07-24 21:10:08, Info CSI 00000007@2014/7/24:19:10:08.182 CSI perf trace:
CSIPERF:TXCOMMIT;32854
2014-07-24 21:10:08, Info CSI 00000008 CSI Store 99552754976 (0x000000172dce7d20) initialized
2014-07-24 21:10:08, Info CSI 00000009@2014/7/24:19:10:08.182 CSI Transaction @0x172e9bcaa0 initialized for deployment engine {d16d444c-56d8-11d5-882d-0080c847b195} with flags 00000002
and client id [26]"TI5.30386034_3758808251:1/"
2014-07-24 21:10:08, Info CSI 0000000a@2014/7/24:19:10:08.182 CSI Transaction @0x172e9bcaa0 destroyed
2014-07-24 21:10:19, Info CBS Session: 30386012_3156824848 initialized by client DISM Package Manager Provider.
2014-07-24 21:12:19, Info CBS Trusted Installer is shutting down because: SHUTDOWN_REASON_AUTOSTOP
2014-07-24 21:12:19, Info CBS TiWorker signaled for shutdown, going to exit.
2014-07-24 21:12:19, Info CBS Ending the TiWorker main loop.
2014-07-24 21:12:19, Info CBS Starting TiWorker finalization.
2014-07-24 21:12:19, Info CBS Ending the TrustedInstaller main loop.
2014-07-24 21:12:19, Info CBS Starting TrustedInstaller finalization.
2014-07-24 21:12:19, Info CBS Ending TrustedInstaller finalization.
2014-07-24 21:12:20, Info CBS Ending TiWorker finalization.
Any ideas?
//Christer

Hi Justin!
nltest /server:"servername" /sc_reset:"domaninname" returns: "I_NetLogonControl failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN"
Dcdiag /q returns : An error occurred. EventID: 0xC0001B77
The text log was not small enough to post here..
Regards.
Christer
Can not find anything directly related in windows-logs but here is the latest log from CBS folder..
2014-07-28 11:04:25, Info CSI 00000888 [DIRSD OWNER WARNING] Directory [ml:520{260},l:118{59}]"\??\C:\Windows\Inf\Windows Workflow Foundation 3.0.0.0\041D" is not owned but specifies
SDDL in component Microsoft-Windows-WWFCoreComp.Resources, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"sv-se", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:25, Info CSI 00000889 [DIRSD OWNER WARNING] Directory [ml:128{64},l:126{63}]"\??\C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en" is not owned but specifies
SDDL in component Microsoft.Dtc.PowerShell.Non_msil.Resources, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088a [DIRSD OWNER WARNING] Directory [ml:134{67},l:132{66}]"\??\C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\MsDtc\en-US" is not owned but specifies
SDDL in component Microsoft.Dtc.PowerShell.Scripts.Resources, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture = [l:10{5}]"en-US", VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088b [DIRSD OWNER WARNING] Directory [ml:520{260},l:134{67}]"\??\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework" is not owned but specifies
SDDL in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088c [DIRSD OWNER WARNING] Directory [ml:520{260},l:118{59}]"\??\C:\Windows\Inf\Windows Workflow Foundation 3.0.0.0\0000" is not owned but specifies
SDDL in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088d [DIRSD OWNER WARNING] Directory [ml:520{260},l:114{57}]"\??\C:\Program Files (x86)\Reference Assemblies\Microsoft" is not owned but specifies SDDL
in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088e [DIRSD OWNER WARNING] Directory [ml:520{260},l:144{72}]"\??\C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0" is not owned
but specifies SDDL in component Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:28, Info CSI 0000088f [DIRSD OWNER WARNING] Directory [ml:520{260},l:94{47}]"\??\C:\Program Files (x86)\Reference Assemblies" is not owned but specifies SDDL in component
Microsoft-Windows-WWFCoreComp, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:30, Info CSI 00000890 Ignoring duplicate ownership for directory [l:72{36}]"\??\C:\Windows\microsoft.net\authman" in component Microsoft.Interop.Security.AzRoles, Version
= 6.3.9600.16384, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:31, Info CSI 00000891 [SR] Verify complete
2014-07-28 11:04:31, Info CSI 00000892 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:31, Info CSI 00000893 [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:36, Info CSI 00000894 [SR] Verify complete
2014-07-28 11:04:36, Info CSI 00000895 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:36, Info CSI 00000896 [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:40, Info CSI 00000897 [DIRSD OWNER WARNING] Directory [ml:520{260},l:120{60}]"\??\C:\Windows\Microsoft.NET\Framework\v2.0.50727\RedistList" is not owned but specifies
SDDL in component NetFx-ASSEMBLYLIST_XML, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope neutral, PublicKeyToken = {l:8 b:b03f5f7f11d50a3a}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:04:42, Info CSI 00000898 [SR] Verify complete
2014-07-28 11:04:42, Info CSI 00000899 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:42, Info CSI 0000089a [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:46, Info CSI 0000089b [SR] Verify complete
2014-07-28 11:04:46, Info CSI 0000089c [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:46, Info CSI 0000089d [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:52, Info CSI 0000089e [SR] Verify complete
2014-07-28 11:04:52, Info CSI 0000089f [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:52, Info CSI 000008a0 [SR] Beginning Verify and Repair transaction
2014-07-28 11:04:58, Info CSI 000008a1 [SR] Verify complete
2014-07-28 11:04:58, Info CSI 000008a2 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:04:58, Info CSI 000008a3 [SR] Beginning Verify and Repair transaction
2014-07-28 11:05:02, Info CSI 000008a4 [SR] Verify complete
2014-07-28 11:05:02, Info CSI 000008a5 [SR] Verifying 100 (0x0000000000000064) components
2014-07-28 11:05:02, Info CSI 000008a6 [SR] Beginning Verify and Repair transaction
2014-07-28 11:05:08, Info CSI 000008a7 [SR] Verify complete
2014-07-28 11:05:08, Info CSI 000008a8 [SR] Verifying 52 (0x0000000000000034) components
2014-07-28 11:05:08, Info CSI 000008a9 [SR] Beginning Verify and Repair transaction
2014-07-28 11:05:09, Info CSI 000008aa [DIRSD OWNER WARNING] Directory [ml:520{260},l:56{28}]"\??\C:\Windows\system\Speech" is not owned but specifies SDDL in component Windows-Media-SpeechSynthesis-WinRT,
pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:05:09, Info CSI 000008ab Ignoring duplicate ownership for directory [l:56{28}]"\??\C:\Windows\system\Speech" in component Windows-Media-SpeechSynthesis-WinRT, Version =
6.3.9600.16384, pA = PROCESSOR_ARCHITECTURE_INTEL (0), Culture neutral, VersionScope = 1 nonSxS, PublicKeyToken = {l:8 b:31bf3856ad364e35}, Type neutral, TypeName neutral, PublicKey neutral
2014-07-28 11:05:09, Info CSI 000008ac [SR] Verify complete
2014-07-28 11:05:09, Info CSI 000008ad [SR] Repairing 1 components
2014-07-28 11:05:09, Info CSI 000008ae [SR] Beginning Verify and Repair transaction
2014-07-28 11:05:09, Info CSI 000008af Hashes for file member \??\C:\Program Files\Windows Server\Bin\WebApps\RemoteAccess\Web.config do not match actual file [l:20{10}]"Web.config"
Found: {l:32 b:jiP+IRWGZxsG0nX6il5MCZofFThiSfytb8Ih27r5EPk=} Expected: {l:32 b:KR7DbPqdCKMwdiZI2XDSr42o4ujtpZlzfX9ud+ODKRM=}
2014-07-28 11:05:09, Info CSI 000008b0 [SR] Repairing corrupted file [ml:520{260},l:120{60}]"\??\C:\Program Files\Windows Server\Bin\WebApps\RemoteAccess"\[l:20{10}]"Web.config" from
store
2014-07-28 11:05:09, Info CSI 000008b1 [SR] Repair complete
2014-07-28 11:05:09, Info CSI 000008b2 [SR] Committing transaction
2014-07-28 11:05:09, Info CSI 000008b3 Creating NT transaction (seq 2), objectname [6]"(null)"
2014-07-28 11:05:09, Info CSI 000008b4 Created NT transaction (seq 2) result 0x00000000, handle @0xba4
2014-07-28 11:05:11, Info CSI 000008b5@2014/7/28:09:05:11.308 Beginning NT transaction commit...
2014-07-28 11:05:11, Info CSI 000008b6@2014/7/28:09:05:11.470 CSI perf trace:
CSIPERF:TXCOMMIT;163479
2014-07-28 11:05:11, Info CSI 000008b7 [SR] Verify and Repair Transaction completed. All files and registry keys listed in this transaction have been successfully repaired
2014-07-28 11:07:13, Info CBS Trusted Installer is shutting down because: SHUTDOWN_REASON_AUTOSTOP
2014-07-28 11:07:13, Info CBS TiWorker signaled for shutdown, going to exit.
2014-07-28 11:07:13, Info CBS Ending the TiWorker main loop.
2014-07-28 11:07:13, Info CBS Starting TiWorker finalization.
2014-07-28 11:07:13, Info CBS Ending the TrustedInstaller main loop.
2014-07-28 11:07:13, Info CBS Starting TrustedInstaller finalization.
2014-07-28 11:07:13, Info CBS Ending TrustedInstaller finalization.
2014-07-28 11:07:13, Info CBS Ending TiWorker finalization.
Regards. Christer

Mail Certificate issue

Similar Messages

Maybe you are looking for