Root CA Certificate Update?

Similar Messages

• Go Daddy UCC Certificate: "ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update"

  Hello,
  I have this issue regarding certificate chains while performing Outlook Anywhere connectivity test
  by Microsoft Remote Connectivity Analyzer:
  "ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled."
  Note: even if I got the error, Outlook Anywhere and
  ActiveSync services work fine.
  Environment:
  - Exchange 2007 with SP3
  - Go Daddy Multiple Domains UCC certificate (up to 5 Subject Alternative Names)
  I already read and followed instructions on this TechNet post
  Can I safely ignore this warning about the SSL cert? Using GoDaddy UCC cert but it is a little bit different by this case.
  So after an investigation I understand the issue above is related to SSL certificate
  Certification Path (see screenshots below).
  NO ERRORS on ExRCA checking
  Go Daddy Secure Certification Authority is under Intermediate Certification Authorities
  repository
  Go Daddy Class 2 Certification Authority is under Intermediate Certification Authorities
  repository
  Starfield Technologies (http://www.valicert.com)
  is under Trusted Root Certification Authorities repository
  ERROR on ExRCA checking
  Go Daddy Secure Certification Authority is under Intermediate Certification Authorities
  repository
  Go Daddy Class 2 Certification Authority is under Trusted Root Certification Authorities
  repository
  Can you add some useful information ?
  I'm opening a support ticket at Go Daddy; I hope they could me some positive feedbacks.
  Regards,
  Luca Fabbri
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees, and confers no rights.

  Strange I have a feeling the exrca tool can't validate the godaddy class2 root authority due some older compability and wants to use the older original root authority valicert owned godaddy. Or when the exrca tool is validating the root CA it only has the
  goaddy class2 root ca that was issued by valicert and not the standalone cert when doing the comparision. I sent the question to MS and will let you know when I hear back.
  You can get rid of it
  https://certs.godaddy.com/anonymous/repository.seam
  Download the cert
  ◦gd_cross_intermediate.crt
  Then import it into the trusted root cert authority on your CAS boxes. Then you need to delete the other godaddy class2 root authority. Make sure you see the one you imported both will be named goaddy class2 root authority but one will be issued by valicert.
  Re-run the test and it will go away, I also saw the error with my domain as well using godaddy and got rid of it by using the new cert authority.
  James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

• Error -2147415740 from Keychain when importing a root CA certificate

  I've been given an iMac at work to use as my primary workstation, and work in an environment that uses certificate based authentication. I was provided the root CA certificate as a .pem file to import into my system, and every time I try, Keychain Access throws an error of "-2147415740".
  Running "openssl x509 -inform pem -in cacert.pem -text" shows the certificate as valid, and specifically:
  Subject Public Key Info:
  Public Key Algorithm: rsaEncryption
  RSA Public Key: (8192 bit)
  Modulus (8192 bit):
  I've seen a few other reports of this, and it seems to be tied to the certificate being signed with an 8192 bit key. Asking the company to change to a lower key to sign the certificate is not a possibility, as it would require redistribution across a high number of machines to work around what appears to be an OS X specific bug. Does anyone know a workaround?
  Out of curiosity, I took the certificate and imported it successfully into an iBook running OS X 10.4.0. The certificate continues to work all the way up to 10.4.8, but breaks once Security Update 2006-007 or 10.4.9 is applied. The certificate is also imported just fine on an iPad running iOS 4.2.1.
  For now, I have to avoid using any Apple provided tools, and many 3rd party OS X programs, negating the benefit of using OS X and an iMac.

  sigh
  Result 1, this thread
  Result 2, another person encountering the same problem and posted here on the discussion forums, unanswered, beyond me responding to see if it is the exact same situation I'm now running into.
  Result 3, a posting to the OpenCA users list, also confirming the problem, with no specific solution to the error. Only a workaround of resigning the CA with a 4096bit or lower key, a workaround that as I mentioned already, cannot be done here without forcing every other user in the company to do work for what appears to only be an OS X specific problem/bug.
  Please only respond again if you have an actual useful suggestion for this exact problem. These boards are to help facilitate discussion about problems leading to a solution. Neither of your generic responses has helped, and I'd appreciate it if you could avoid wasting more of my time following up on a new post notification.

• New deploy child domain certificate server didn't publish root trust certificate to the client

  Child domain certificate didn't install into child domain workstation.
  https://support.microsoft.com/en-us/kb/281271?wa=wsignin1.0
  Certification Authority configuration to publish certificates in Active Directory of trusted domain
  Any advise?
  Thanks.

  Hi,
  >>New deploy child domain certificate server didn't publish root trust certificate to the client
  Is this an enterprise root CA or standalone CA?
  If it is an enterprise root CA, it will automatically use Group Policy to propagate its certificate to the Trusted Root Certification Authorities certificate store for all users and computers in the domain. If it is an standalone CA, we can configure GPO
  to distribute the certificate.
  Regarding how to use policy to distribute certificates, the following article can be referred to for more information.
  Use Policy to Distribute Certificates
  https://technet.microsoft.com/en-us/library/cc772491.aspx
  We can run command gpupdate/force to immediately update group policy and then we can refresh the certificates in certmgr.msc to see if the certificate will come up.
  Besides, for certificate questions, we can also ask for suggestions in the following forum.
  Security
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
  Best regards,
  Frank Shen
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• After installing Windows certificate update cannot login to Yahoo

  MS sent out a new "root certificate" update for Windows today. After installing it everything looks normal, but an attempt to login to Yahoo groups or mail fails with a "duplicate certificate number" error.
  >>>>>>>>>>
  Secure Connection Failed
  An error occurred during a connection to login.yahoo.com.
  You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information:
  Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number.
  (Error code: sec_error_reused_issuer_and_serial)
  * The page you are trying to view can not be shown because the authenticity of the received data could not be verified.
  * Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site.
  <<<<<<<<<<
  I can login with no problems using IE7, which seems suspicious.

  Hello,
  Certain Firefox problems can be solved by performing a ''Clean reinstall''. This means you remove Firefox program files and then reinstall Firefox. Please follow these steps:
  '''Note:''' You might want to print these steps or view them in another browser.
  #Download the latest Desktop version of Firefox from http://www.mozilla.org and save the setup file to your computer.
  #After the download finishes, close all Firefox windows (click Exit from the Firefox or File menu).
  #Delete the Firefox installation folder, which is located in one of these locations, by default:
  #*'''Windows:'''
  #**C:\Program Files\Mozilla Firefox
  #**C:\Program Files (x86)\Mozilla Firefox
  #*'''Mac:''' Delete Firefox from the Applications folder.
  #*'''Linux:''' If you installed Firefox with the distro-based package manager, you should use the same way to uninstall it - see [[Installing Firefox on Linux]]. If you downloaded and installed the binary package from the [http://www.mozilla.org/firefox#desktop Firefox download page], simply remove the folder ''firefox'' in your home directory.
  #Now, go ahead and reinstall Firefox:
  ##Double-click the downloaded installation file and go through the steps of the installation wizard.
  ##Once the wizard is finished, choose to directly open Firefox after clicking the Finish button.
  More information about reinstalling Firefox can be found [[Troubleshoot and diagnose Firefox problems#w_5-reinstall-firefox|here]].
  <b>WARNING:</b> Do not run Firefox's uninstaller or use a third party remover as part of this process, because that could permanently delete your Firefox data, including but not limited to, extensions, cache, cookies, bookmarks, personal settings and saved passwords. <u>These cannot be easily recovered unless they have been backed up to an external device!</u>
  Please report back to say if this helped you!
  Thank you.

• Root CA certificate marked as non-exportable

  Hello All.
  I've found myself with an odd issue. A few months ago I migrated from an old 2008R2 Enterprise CA to a new 2012R2 Core Enterprise CA. I exported the Root CA cert from the old server using the following:
  certutil.exe backupkey C:\Temp\Migration
  That made a P12 file with the private key. I then imported the Root CA on the new server (after decommissioning the old server, installing ADCS, etc) using this command:
  certutil.exe importpfx "blah.p12"
  I continued the rest of the CA Migration steps per TechNet articles (http://technet.microsoft.com/en-us/library/31eca881-0744-447a-ae7a-597310b9d9bf(v=ws.10)#BKMK_PrepDest
  http://technet.microsoft.com/en-us/library/cc742388(WS.10).aspx).
  Things have been fine for months but I wanted to do a scheduled backup of our CA cert and got an error:
  C:\Scripts>Certutil.exe -p Blah -backupkey
  CABackupCertUtil: -backupKey command FAILED: 0x8009000b (-2146893813 NTE_BAD_KEY_STATE)
  CertUtil: Key not valid for use in specified state.
  This error appears to be because my Root CA cert is marked as non-exportable. I verified this by using the Certificates MMC and the option is greyed out.
  My understanding is that importing a PFX with no options marks the private key as exportable but for some reason mine didn't. I'm not sure why but the issue at hand is to fix this for the future.
  I can see 2 possible options. To re-import the P12 file (I still have the original file) or to possibly renew the Root CA certificate although I'm not sure if that will allow it to be exportable.
  We have a lot of certificates issued by this new CA so I'm looking for suggestions or caveats since I can't find anyone else with similar issues.
  Thanks!

  > Would I have 2 CA certificates when I look at the properties of the CA in the MMC?
  you can delete existing key from the store and re-import from PFX file.
  > My understand was that it imports by default with the private key being exportable
  Not sure about certutil (haven't used this parameter for a while). You can try to run it again and check whether it will allow key export.
  > Would I have 2 CA certificates when I look at the properties of the CA in the MMC?
  no, you will still see the same certificate list as before, because this list is maintained by renewals and internal CA database information.
  > Or do you think it would be as easy as re-importing?
  Re-import will solve the issue. If certutil won't help, then use MMC.
  My weblog: en-us.sysadmins.lv
  PowerShell PKI Module: pspki.codeplex.com
  PowerShell Cmdlet Help Editor pscmdlethelpeditor.codeplex.com
  Check out new:
  SSL Certificate Verifier
  Check out new:
  PowerShell FCIV tool.

• Root CA Certificate expired in WTK

  Hi, does anybody knows how to renew root CA certificate for WTK? The one that is inlcuded with WTK is expired.
  Thanks

  Hi there,
  Did you ever find a solution to this problem? Im having a similar problem with a midlet connecting to a https webpage. I get a root ca's certificate expired in wtk 2.
  Any suggestions would be great....thanks

• How to import Root CA certificate (Firefox 22)on windows using certutil? what are the dlls required?

  I was using certutil from my application to import root CA certificate, but it it started complaining about missing dlls after Firefox 18. What are the dlls required.
  It will be appreciable if some one can give the code of Firefox (What they use), to import root CA certificates.
  Thanks

  I found the following with a google search. Hope it helps.
  *https://support.mozilla.org/questions/955513 How to add a private SSL root certificate authority
  *https://support.mozilla.org//questions/952035 Where can I download certutil.exe and the NSS Utils for Windows
  *https://www.felixrr.pro/archives/165/mozilla-nss-utils-with-nspr-compiled-for-download
  *http://wiki.cacert.org/FAQ/BrowserClients#Mozilla_Firefox

• Intermediate CA certificate and the Root CA certificate

  HI
  What are Intermediate CA certificate and the Root CA certificate ??
  What is the difference between these two types of certificates ??
  What are all the other alternative names that are used with these names ??
  thanks
  kumar

  Hi,
  An intermediate certificate is the certificate, or certificates, that go between your site (server) certificate and a root certificate.
  The intermediate certificate, or certificates, completes the chain to a root certificate trusted by the browser.
  Using an intermediate certificate means that you must complete an additional step in the installation process to enable your site certificate to be chained to the trusted root, and not show errors in the browser when someone visits your web site.
  Refer
  https://support.comodo.com/index.php?_m=downloads&_a=view&parentcategoryid=1&pcid=0&nav=0
  The advantages of using intermediate certificates u2013 Sometimes referred to as u2018chainingu2019
  http://www.whichssl.com/intermediate_certificates2.html
  Root certificate
  The root certificate is usually made trustworthy by some mechanism other than a certificate, such as by secure physical distribution. For example, some of the most well-known root certificates are distributed in the Internet browsers by their manufacturers.
  a root certificate is either an unsigned public key certificate or a self-signed certificate that identifies the Root Certificate Authority (CA). A root certificate is part of a public key infrastructure scheme. The most common commercial variety is based on the ITU-T X.509 standard, which normally includes a digital signature from a certificate authority (CA).
  http://support.microsoft.com/kb/887413
  Thanks
  swarup

• Export & Import Self-Signed Root CA Certificate?

  I have created a self-signed Root CA certificate with which I sign all of my other certificates on a leopard Server. This Root CA is installed and trusted on all of our client machines.
  I recently tested exporting and archiving the Root CA in every format available from Keychain Access and then tried to import these files into another Snow Leopard server and was unable to assign the imported Certificates as a "Default Certificate Authority".
  Does anyone know how I can set this Root CA that I created on another server as the default CA on this new machine for signing all future certificates that I create?
  Fore some reason when I go into Keychain Access and select: Keychain Access -> Certificate Assistant -> Set the Default Certificate Authority… I end up with no certificates to choose from and the "Add a Certificate Authority…" button will not allow me to select any of the exported certificate formats that I archived.
  Any thoughts?

  Anyone have any information at all? This seems like a very basic need for maintaining certificates beyond the usable life of the equipment on which they were created.
  I have found precious little information about this specific to Apple OS.

• Can't find Root certificate update (KB931125) in SCCM

  Hi!
  As the thread title says, i can't find the update for new root certificate in the SCCM console but i can see it in the WSUS console. I am in the middle of migrating from 2007 to 2012 so i have two envrionments and in 2007 i can see one update. Windows 7[April
  2012] which is expired. If i check in WSUS console i can see that there is one for March 2014.
  In my 2012 environment I can see the same updates in WSUS but no one appear in SCCM console.
  I synchronize Windows 7 products and all classifications but Tools and drivers.
  I have created a searchfolder where with the criteria where ArticleID equals to 931125 and i can only find the expired update from April 2012.
  I'm not sure how I can troubleshoot this? 
  Thanks!
  EDIT: I forgot to mention that the synchronization of new updates is working just fine, its just this update i can't get into the sccm console.

  Honestly, I think this is a bug and should be reported to CSS. The November 2013 edition of this update is valid but they unfortunately expired a later revision of the update (April 2014) and I think that this is/may be throwing off the sync between
  ConfigMgr and WSUS as it's not a normal scenario.
  Jason | http://blog.configmgrftw.com

• SSL Certificates Update Error in ACE 4710

  Hi,
  I am facing a problem while updating the SSL certificates in ACE 4710. Our certificate is expired and we have purchased a new certificate from CA. Moreover the common name of the certificate is also changed.
  I tried importing the certificate to the repository and change the SSL proxy likewise to use the new certificate. but still the new certificate with new CN is not recognised by the clients. they can see the old certificate only. I even tried deleting and creating a new ssl proxy service with the new cert and attaching it to policy map.
  but still the new certificate is not used even after a reboot,
  Attaching screenshots and running config. Any help will be appreciated.
  BR//Rajiv

  Ravi,
        Here are the procedures for updating your certificate on the ACE. 
  1) Create New RSA Key
  2) Create CSR
  3) Send CSR to CA authority for a new certificate
  4) Import Certificate into the ACE
  5) Change the ssl-proxy to use the new Certificate and Key
  6) Remove the SSL-Proxy from the policy map and reapply
  Now if you created the CSR on a different box, you will need to import both the RSA key are the certificate.  Another thing you should be aware of is a possible change in the Root and intermediate certicates that are used by the CA.  In your configuration, you have
  crypto chaingroup iotms-chain-gr-1
    cert inter-root-new
  Is the the correct certificates for your cert?  If so, it seems odd that there is only on certificate in the Chaingroup.  Most CAs use an intermediate and and a root certificate. 
  Verify that you have the correct chaingroup (with the correct root and intermediate certificates). 

• Unable to Install Root CA Certificate - Certificate cannot be verified up to a trusted certificate authority.

  Hi,
  I am trying to install CA root certificate on Windows 7, IE 9.
  Encounter error: "Untrusted Certificate".  "This certificate cannot be verified up to a trusted certificate authority."
  I have tried to install the certificate to Trusted Root Certificate Authorities->local computer and import was successful. BUT on IE->Internet Options->Certificate->Trusted Root Certificate Authorities, I am unable to find this root CA on
  the list.
  On mmc->Certificates->Trusted Root Certificate Authorities->certificates, I am able to view this root CA.
  I then restarted the IE and view the ssl site again but failed too, "Untrusted Certificate".
  Anyone, any idea ?
  Regards,
  Eye Gee

  Hi,
  If you install the certificate but then cannot see it please read the following KB article:
  You cannot view certificate information in Windows Internet Explorer 7 or in Certificate Manager after you successfully import a certificate on a Windows Vista-based computer(although it applies to Windows Vista)
  http://support.microsoft.com/default.aspx?scid=kb;EN-US;932156
  This is also because of this: Microsoft Security Advisory: Update for minimum certificate key length
  http://support.microsoft.com/kb/2661254
  To get rid of the error, you can self-signed certificate for a secured website in Internet Explorer.
  To do this, follow these steps:
  1. In Explorer Options, add the URL to your trusted sites. Exit Explorer.
  2. In Windows Internet Explorer, click Continue to this website (not recommended).
   A red Address Bar and a certificate warning appear.
  3. Click the Certificate Error button to open the information window.
  4. Click View Certificates, and then click Install Certificate.
  5. On the warning message that appears, click Yes to install the certificate and place it in your trusted certificates authority.
  6. Exit Explorer then open the page again. Error should be gone.
  I also would like to suggest you refer to the link below to learn more about certificates:
  Certificate errors: FAQ
  http://windows.microsoft.com/en-HK/internet-explorer/certificate-errors-faq#ie=ie-11
  Understanding Certificate Revocation Checks
  http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx
  Hope it helps.
  Regards,
  Blair Deng
  Blair Deng
  TechNet Community Support

• Palm pre certificate update

  Hi. today the root certificate of my palm pre expired and I can´t download any app from the Palm catalog. I couldn´t update the certificate and people from the HP support don´t know how to update this certificate. I followed all the steps in the HP instructions but nothing happened, so I´d like to know if somebody knows how to update the certificate or if somebody has the same trouble. Is it possible to update the certificate using webosdoctor or webosquickinstall? May be using internalz? Please help me because I can´t access the cloud services. I have webos 1.4.0 compilation 52 carrier Telcel.

  Hello Papafrita, Welcome to the HP Support Community.
  Have you tried rebooting the phone?  Power it off, pull the battery, wait 30 seconds and reassemble.  Try to install the update again.
  Both of my TouchPads and my Pre3 updated fine.  I had very little Preware on them, and one tablet was completely stock.
  There is a thread or two about this issue over at webosnation.com.  
  According to HP, if you continue to have trouble, try setting the date on the phone to July 1, 2013, turn off the Network Time setting, and try again.
  Since you are running 1.4.0, you have to open the app catalog, search for the word "update", find the update, tap the "Free" button, then the "Launch" button when it finishes downloading. Now change the time to current.
  WyreNut
  I am a Volunteer here, not employed by HP.
  You too can become an HP Expert! Details HERE!
  If my post has helped you, click the Kudos Thumbs up!
  If it solved your issue, Click the "Accept as Solution" button so others can benefit from the question you asked!

• HOW TO INSTALL ROOT (Authority) CERTIFICATES ON S4...

  Recently i bought a 6500 Classic and stupidly deleted my Authority Certificates.
  After trwaling the net for info on how to re-install certificates i couldnt find an answer apart from NO YOU CANT DO THIS.
  Well to that i say NUTS!!! because you can and i will show you how by simply following these steps.
  1. Create a New Folder on your desktop and call it whatever you like.
  2. Open notepad on your computer.
  3. Copy the text below into the Notpad file. (I got this from some website as they were using it for smething else but it does work so thanks to them or thanks to you if this is yours)
   <?xml version="1.0"?>
  <!DOCTYPE html PUBLIC "-//WAPFORUM//DTD XHTML Mobile 1.0//EN" "http://www.wapforum.org/DTD/xhtml-mobile10.dtd">
  <html xmlns="http://www.w3.org/1999/xhtml">
  <head>
  <title>Install root CA</title>
  </head>
  <body>
  <p>
  <a href="der1.cer">Download a CA Cert1</a>
  <a href="der2.cer">Download a CA Cert2</a>
  <a href="der3.cer">Download a CA Cert3</a>
  <a href="der4.cer">Download a CA Cert4</a>
  <a href="der5.cer">Download a CA Cert5</a>
  <a href="der6.cer">Download a CA Cert6</a>
  <a href="der7.cer">Download a CA Cert7</a>
  <a href="der8.cer">Download a CA Cert8</a>
  <a href="der9.cer">Download a CA Cert9</a>
  <a href="der10.cer">Download a CA Cert10</a>
  <a href="der11.cer">Download a CA Cert11</a>
  </p>
  </body>
  </html>
  4. Save the Notpad file as type ALL FILES but when naming it just call it cert.html and save it to the folder you created on your desktop earlier.
  5. Now downlaod the Root Certificates you need to the same folder on your Desktop.
  6. When saving the first Certificate to the folder call it der1 ((make sure not to take out the file extension eg .cer)) then the second der2, third der3 and so on and so on till you get to der11. (Dont worry this will not rename the certificate when it installs on your phone.)
   Example of what the files in your Desktop folder should be called der1.cer, der2.cer etc etc.
  7. Now transfer the whole folder from your Desktop to your Mobile phone. (I did this by using Nokia PC Suite.)
   8. When the folder with the certificates and hmtl we made have been transfered to you phone navigate using your phone to that folder.
  9. Go into the folder and open the cert.html file. (Your browser will now open a page with 11 download links available)10. Now all you have to do is click on each link and accept each certificate remembering to save and they will install on your phone. (On my 6500 Classic i can check this by Navigating through my phone to Menu>Settings>Security>Authority Certificates)
   Notes:- Some errors you may receive when trying to download the certificates through your phone browser may be Already Exists, Expired Certificate and the most annoying is Corrupted Certificate.
  Already Exists - Shouldt allow you to save (DO NOT SAVE IF IT ALLOWS YOU)
  Expired Certificate - (DO NOT SAVE)
  Corrupted Certificate - Install the certificate on your computer first, then go to Tools>Internet Options>Content>Certificates.
  (save the certificate to other people tab) Browse for the certificate you installed then export it in DER format to the Desktop Folder you created then start process over again to get it onto your phone.
  Remember to delete any certificates as you go that you have already installed so you dont get mixed up.
  Any issues reply and i will do what i can to help and if anyone has Hutchinson 3G Root Certificates please let me know.
  Thanks.
  Message Edited by andyhardie on 15-Jul-2009 04:05 PM

  I have nokia 6300 s40v3 and when I tried to open cert.html it showed format unknown.
  What should I do. Can you tell me the format of bookmark so that can rename it to cer.(format)
  sir please give some guidense its very urgent
  reply at *******
  MODERATOR'S NOTE:
  Personal details removed by a moderator. We kindly ask you not to share your personal e-mail address or any other personal information publicly on this forum. This is for your personal safety and privacy.
  Message edited by Aikin19