Problem updating CA root certificates in cacerts file

Similar Messages

• Update for Root Certificates for Windows 7 [March 2014] (KB931125) - Expired on SCCM 2012 March 2014 SUG

  Hi all,
  The "Update for Root Certificates for Windows 7 [March 2014] (KB931125)" is Expired on SCCM 2012 March 2014 SUG. Is this a problem and is there going to be any fix for this which we can expect in the future?

  I don't have a 931125 for March 2014; however, I do have a November 2013 for 931125 which is still valid. Per the KB (http://support.microsoft.com/kb/931125) the November 2013 is the current and valid versions.
  931125 is an unusual update as they simply update it with a new version instead of creating a new KB that supersedes it. Now, why they expired the March 2014 version is unknown but they probably found an issue with it shortly after it was released.
  As a rule, you should always ensure that the search you use or criteria in your ADR excludes expired updates.
  So, to answer the question, no this isn't an issue.
  Jason | http://blog.configmgrftw.com

• Update for Root Certificates for Windows 7 [March 2014] (KB931125) Expired

  Hi All
  Today i wanted to deploy the security updates of the month march 2014 to my production environment.
  I noticed that the update "Update for Root Certificates for Windows 7 [March 2014] (KB931125)" is Expired
  Strange last week I added this update in our Acceptation environment with no problems.
  Someone knows what happend to this update , i cannot find it on the microsoft site
  regards
  Johan

  Hi Yan Li,
  I don't understand what you're trying to say.
  Why do you quote that old information from the KB article? It's not really relevant to the update Johan asked about because the December 2012 version of KB931125 is not the same update that was released on March 11, 2014 which then immediately expired.
  It's not only the server updates that have been expired this time. It's the Windows 7 update and the Windows XP updates as well. I don't have any other OS versions in my managed environment so I don't know which other OS versions it affects but my guess is
  it's expired on all of them.
  It would be nice with some real information about why this particular version (March 2014) was recalled.
  If there is a problem with it I would like to know what kind of problems I'll be facing on the clients that did install it before it expired.
  And if there is a problem with it, will there be an interim fix available? Will a new update be released and if so- when?
  Can you please see if you can provide us with some relevant information?

• Having problem getting installed root certificate to work

  We have a recerse proxy set up with an SSL certificate singed by our local CA.  We are trying to connect to this reverse proxy from iPad over 3G connection.
  Initially, we received the error "Safari cannot open the page because it could not establish a secure connection to the server".  Reading up on this, realized that we needed to install the CA root certificate as a trusted root on the device.
  Got iPhone Configuration utility, set up a configuration profile for the sole purpose of installing the certificate, added the certificate through Credentials section, and assigned the profile to the device.  I can see the certificate updated to the device through General>Profiles and can confirm that it IS the root certificate used to general the SSL certificate on the proxy.
  Even after application to the iPad (tried on iPhone also), attempt to access our proxy server from the iOS device fails with the same error.
  It is interesting to note, that on a personally owned iPad, instead of the error noted, I received a pop-up indicating the certificate was unknown, and I was presented with options to "Cancel, Details, Continue".  Clicking on "Details", I was allowed to view the certificate properties, and ALSO had a button to "Accept".  Hitting "Accept" installed the certificate as trusted, and I get through the proxy server just fine.  Only problem now is that if I *want* to re-create the prompt, I have no way, as I've found no way to remove certificates from the iPad unless installed via configuration profile.
  We've checked and double-checked, and the certificates all "line up" to the correct CA.
  Any ideas where I night be going wrong?
  Thanks!

  New clue....
  I only have the problem of not connecting to the proxy server if I'm using a 3G connection.  If I turn on wi-fi, connect to an access point, the installed root certificates do their job, and I connect just fine.
  Anyone know of potential problems with SSL certificates over 3G?

• Update Windows Root Certificates in Windows 2008 R2 Disconnected Environment using WSUS

  Hi all, I need to update the root certs on all my WIndows 2008 R2 servers. They have no internet connectvity. I am aware of the issue described by
  KB931125 but I am not affected by it. My issue is that I would like the 2008R2 servers to update the roots certs form my WSUS servers. Is this possible?

  I would suggest that you identify the few individual root certificates that you need, and import them individually to those servers where they are needed.
  It is NOT possible to update root certificates from a WSUS server, except in the case of workstations that are being configured to install KB931125.
  Do NOT install KB931125 to a server operating system.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• Not able to fix connection not trusted problem, updating date not working, cert8.db file missing in moxilla firefox folder

  I have been using firefox since several years. Few addwares like digicoupons, discountcoupons bothered me so I installed kasprosky lab anti virus and did scanning. I also made some settings in security settings of Mozilla firefox. but now I am not able to open any site with https address and also the display of webpage for youtube etc are not proper. I have downloaded and installed firefos at least 6 times but am not able to rectify the problem. The file cert8.db is not available in the folder as I triedtosearch it and delete it. The updation of system as well as internet date and time is also not working.
  The error message is Error code: sec_error_unknown_issuer
  Pleaase advice, I have already tried troubleshooting as given in support link of Mozilla.

  Kaspersky has a feature to filter your web connections. When filtering a secure connection, it needs to present a "fake" certificate to Firefox in order to decrypt and examine the content you are exchanging with the site. Naturally, Firefox does not consider fake certificate secure, so you need to set up Firefox to work with this feature.
  These are some links I found about 6 months ago. Hopefully one of them will help:
  * See Opera section of this one: http://support.kaspersky.com/us/9093#block1
  * Manual steps using classic menu bar (tap the Alt key to display it): http://support.kaspersky.com/5414

• Updating Root Certificates

  I have been unable to fully update the root certificates on my Windows 2008 Server machine. I have tried doing a manual install using https://www.verisign.com/support/roots.html and there are still certificates that are not updated, but used to be trusted
  before certification expiration. Is there a way to update these roots automatically by Windows without messing with Group Policy settings? Or a way to update individual roots via Windows?
  Thanks.

  I'm curious about the intent to do a wholesale update of the root certificates in a server operating system. I would think you should consider yourself lucky, because there are practical limits to the size of the Trusted Root Certificate Store (64kb of certificates,
  which is 175-200 of them, depending on their data size).
  A more surgical approach is to only install a new root certificate when it is needed for a specific purpose. Otherwise, certificates that are expired can generally just be deleted.
  However, for an alternative approach to this process, I would suggest installation of KB931125 to a **WORKSTATION** operating system (a reference VM not actually used by anybody would be even better), and then EXPORT those certificates that you actually
  need from that reference system and import them to where they are needed.
  Lawrence Garvin, M.S., MCSA, MCITP:EA, MCDBA
  SolarWinds Head Geek
  Microsoft MVP - Software Packaging, Deployment & Servicing (2005-2014)
  My MVP Profile: http://mvp.microsoft.com/en-us/mvp/Lawrence%20R%20Garvin-32101
  http://www.solarwinds.com/gotmicrosoft
  The views expressed on this post are mine and do not necessarily reflect the views of SolarWinds.

• MacBookpro Receiving pop up warnings: Error: Unable to establish a secure connection to pop.mail....etc. because the correct root certificate is not installed. Help needed please.

  My Entourage is very slow and 2 Error pop ups (above) are showing. Additionaly, a warning about the start up disc being full. I decided to back up to an external HD.When backing up I was surprised to see 9.4GB in the catagory named 'Other'. Ive probably got too much junk stored here (unless it could be imovie files?). If I could see what was in 'Other', and delete what I dont need, this may be the answer to freeing up more space. The next big file I have is under 'Pictures' which is 1.7GB. I have never downloaded any video or Youtube stuff.
  This is my first experience on this forum.

  Apple in their glorious wisdom did not update the root certificates for users of 10.5, only for 10.6 and later.
  You'll need to make some changes, open your Keychain Access in your Applicaitons or Utilitties folder.
  Delete the compromised DigiNotar root certificates, also change the KeyChain Access preferences > Certificates to
  Best Attempt
  Best Attempt
  Require Both
  Because the Certificate Autorities themselves are being attacked, you need the most recent and varied source of valid certificates so your comptuer does the best it can to verify the site your visiting is legitiment.
  Also make sure the time and date on your computer is accurate and updated with Apple's time severs, allow any such time requests out your outgoing firewall (aka LittleSnitch)
  You might decide to upgrade to 10.6, it's the best OS version for users of Intel Mac's, strips out the PowerPC code your not using and improved video drivers for better graphics performance. It should run most of your 10.5 software with just minor updates at most.
  Please backup your data off the machine (not TimeMachine) before doing anything as you might need to wipe the drive if the upgrade doesn't go correctly.
  http://store.apple.com/us/product/MC573Z/A
  However OS X Lion 10.7 is a radical change, won't run your older software or drivers and likely be slow on most older hardware. I'd advise against installing it, buy it with a new machine instead.

• Supersedence problem causing update loop for Root Certificates

  Specs: Server 2008 R2, WSUS 3.0, SCCM 2012 R2, Windows 7 Clients/Updates
  The issue is with the Root Certificate update from December 2012.  The update is not marked as superseded by the November 2013 Root Certificate update.  Is this an issue with Microsoft, or with my WSUS server? Is there any way I can remove or decline
  the Dec2012 update so that the March 2014 update can take over as the most current update?
  I have tried the KB931125 article and all the other resources with these updates, but my problem doesn't seem to be noted in these articles. From what I can find, the update from Dec2012 has not been installed on my WSUS Server.
  Thank you for the help,
  Phill

  AFAIK the current situation is this:
  "March 2014" was expired by Microsoft on March 17:
  The only KB931125 update that still is applicable is the "November 2013" update.
  ALL other KB931125 updates should be "Declined".
  Rolf Lidvall, Swedish Radio (Ltd)

• Cannot get Genius to work - Always get same error message - "Genius results can't be updated right now. The required file cannot be found."  Problem also seems to be affecting iCloud aand Music Match.

  Cannot get Genius to work - Always get same error message - "Genius results can't be updated right now. The required file cannot be found."  Problem also seems to be affecting iCloud aand Music Match. Can anyone help me with this?  What file is missing and from where?

  This is a known problem with Windows 7 Enterprise using certain Group Policy settings. Solution for me was to use another machine running Windows 7 Ultimate.

• I am a CC subscriber and trying to update lr5.7 and I am told to got to my CC folder and click on install. The problem is, LR is not in my file. I guess I have been using my original lr that I bought years ago. What now? How do i get lr into the CC file?

  I am a CC subscriber and trying to update lr5.7 and I am told to got to my CC folder and click on install. The problem is, LR is not in my file. I guess I have been using my original lr that I bought years ago. What now? How do i get lr into the CC file?

  Gary116 please remove and reinstall Lightroom by following the steps listed in CC desktop lists applications as "Up to Date" when not installed.  The version of Photoshop Lightroom available through the Creative Cloud Desktop application supports your Creative Cloud Membership.

• What is Certificate and how to configure it in cacerts file...

  Hi,
  I got an error wile authenticating LDAP server, saying"unable to find valid certification path to requested target", I came to know that I need to configure LDAP server's certificates in jre/lib/security/cacerts file. but I don't know how to do it.
  Could someone explain what is that certificate? how do I get that information from LDAP admins? how to configure certification in my machine and how to use in our logic?
  Thanks,
  Sumant K

  I got the certificate and now I want to add it in my cacerts file .. how do I do that? please give me reply

• Hello Sorry for the inconvenience, but I have a problem in Java I can not open files, audio chat, which type of jnlp after the last update of the Java 2012-004 Please help me in solving this problem.

  Hello Sorry for the inconvenience, but I have a problem in Java I can not open files, audio chat, which type of jnlp after the last update of the Java 2012-004
  Please help me in solving this problem. 

  Make sure Java is enable in your browser's security settings.
  Open Java Preferences (in Utilities folder)
  Make sure Web-start applications are enabled.
  Drag Java 32-bit to the top of the list.
  jnlp isn't an audio file format. It's just a java web-start program (Java Network Launching Protocol).

• Iphone cacert root certificate imported but not verified

  Hi,
  When I import the cacert.org root certificates to iphone 6.1.3 the profile shows as imported but "not verified" - anyone else had the same issue / found a solution?
  I have tried direectly importing rom the cacert/org website and also installing via the apple configuration utility.

  What I used command is as following
  openssl smime -sign -in company.mobileconfig -out signed.mobileconfig -signer server.crt -inkey server.key -certfile cert-chain.crt -outform der -nodetach

• Go Daddy UCC Certificate: "ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update"

  Hello,
  I have this issue regarding certificate chains while performing Outlook Anywhere connectivity test
  by Microsoft Remote Connectivity Analyzer:
  "ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled."
  Note: even if I got the error, Outlook Anywhere and
  ActiveSync services work fine.
  Environment:
  - Exchange 2007 with SP3
  - Go Daddy Multiple Domains UCC certificate (up to 5 Subject Alternative Names)
  I already read and followed instructions on this TechNet post
  Can I safely ignore this warning about the SSL cert? Using GoDaddy UCC cert but it is a little bit different by this case.
  So after an investigation I understand the issue above is related to SSL certificate
  Certification Path (see screenshots below).
  NO ERRORS on ExRCA checking
  Go Daddy Secure Certification Authority is under Intermediate Certification Authorities
  repository
  Go Daddy Class 2 Certification Authority is under Intermediate Certification Authorities
  repository
  Starfield Technologies (http://www.valicert.com)
  is under Trusted Root Certification Authorities repository
  ERROR on ExRCA checking
  Go Daddy Secure Certification Authority is under Intermediate Certification Authorities
  repository
  Go Daddy Class 2 Certification Authority is under Trusted Root Certification Authorities
  repository
  Can you add some useful information ?
  I'm opening a support ticket at Go Daddy; I hope they could me some positive feedbacks.
  Regards,
  Luca Fabbri
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

  Strange I have a feeling the exrca tool can't validate the godaddy class2 root authority due some older compability and wants to use the older original root authority valicert owned godaddy. Or when the exrca tool is validating the root CA it only has the
  goaddy class2 root ca that was issued by valicert and not the standalone cert when doing the comparision. I sent the question to MS and will let you know when I hear back.
  You can get rid of it
  https://certs.godaddy.com/anonymous/repository.seam
  Download the cert
  ◦gd_cross_intermediate.crt
  Then import it into the trusted root cert authority on your CAS boxes. Then you need to delete the other godaddy class2 root authority. Make sure you see the one you imported both will be named goaddy class2 root authority but one will be issued by valicert.
  Re-run the test and it will go away, I also saw the error with my domain as well using godaddy and got rid of it by using the new cert authority.
  James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com