none
Certificate Error: "Untrusted certificate"

Respuestas

  • Hi,

     

    The issue is simply that Computer B does not trust the domain that trusts the computer that is hosting https://example.com.

     

    More specifically, when a machine is joined to an Active Directory domain that has a Root Certificate Authority, then the Root Certificate Authority certificate is placed in the client machine's Local Machine Trusted Root Certification Authorities store.

    You can view the certificates in the Local Machines Trusted Root Certificate Authority store by following these steps:

    1.       Run mmc.exe

    2.       File -> Add or Remove Snap-in

    3.       Select “Certificates” and click “Add”

    4.       Select “Computer Account” and click “Next >”

    5.       Select “Local Computer” and click “Finish”

    6.       Click OK

    7.       In the “Console Root” tree, expand “Certificates (Local Computer)”

    8.       Expand “Trusted Root Certification Authorities” and click “Certificates”

     

    On machine A, this store will contain a certificate issued to: “Primary Class 2 Certification Authority”

    On machine B, this store will NOT contain that certificate and that is why machine B does not trust https://example.com

     

    Can you explain why you would like machine B to trust that website?

    Can you join machine B to the domain that trusts the “Primary Class 2 Certification Authority”?

     

    If you cannot join machine B to that domain, then another solution is to manually install the “Primary Class 2 Certification Authority” into machine B’s “Trusted Root Certification Authorities”. To do this, follow these steps:

    1.       In the “Trusted Root Certification Authorities” store on machine A:

    a.       Right-click the “Primary Class 2 Certification Authority” certificate

    b.      Select “All Tasks” and click “Export”

    c.       Click “Next >”

    d.      Select “DER encoded” and click “Next >”

    e.      Save the file to a USB stick or someplace accessible from machine B and click “Next >”

    f.        Click “Finish”

    2.       On machine B:

    a.       Open the certificate file exported from machine A

    b.      Click “Install Certificate” and click “Next >”

    c.       Select “Place all certificates in the following store”

    d.      Click “Browse” and select the “Trusted Root Certification Authorities”

    e.      Click “OK”, then click “Next >”

    f.        Click “Finish”

    g.       Click “OK” on the “Security Warning”

    3.       On machine B, try to open https://example.com

     

    I hope that helps,

    John

    • Propuesto como respuesta John Nobile martes, 16 de noviembre de 2010 22:38
    • Marcado como respuesta misvin miércoles, 17 de noviembre de 2010 10:58
    martes, 16 de noviembre de 2010 22:21
  • Hi,

    1. Yes, the Local machine certificate store and the user certificate store are like the LM and CU registry hives: each user that logs on to that machine will have their own set of certificates, either auto enrolled from the Active Directory or manually installed. On the other hand, the Local machine store will have the same set of certificates independent of the logged on user. Some operations, like establishing that another server is trustworthy, require machine trust. Other operations, like sending an encrypted email, require a user specific certificate that no other user should be able to access.

    2. When you open the Local machine store as noted above, you can "File -> Save" the MMC console with any consoles loaded that you desire. This will serve as a shortcut similar to certmgr.msc and you can copy the saved file to other computers if you wish. There is no built-in way to open the Local Machine store that is faster than what I already suggested.

    Thanks!

    John

    • Propuesto como respuesta John Nobile miércoles, 17 de noviembre de 2010 17:10
    • Marcado como respuesta misvin miércoles, 17 de noviembre de 2010 20:59
    miércoles, 17 de noviembre de 2010 17:03
  • Hi,

    To see the true step-by-step, you can enable CAPI logs, got to an "https" site, and examine the logs from start to finish.

    An very detailed walk-through of what exactly happens is here: http://technet.microsoft.com/en-us/library/cc749296(WS.10).aspx

    Thanks,

    John

    • Propuesto como respuesta John Nobile jueves, 18 de noviembre de 2010 19:15
    • Marcado como respuesta misvin jueves, 18 de noviembre de 2010 19:29
    jueves, 18 de noviembre de 2010 0:15

Todas las respuestas

  • Hi,

     

    The issue is simply that Computer B does not trust the domain that trusts the computer that is hosting https://example.com.

     

    More specifically, when a machine is joined to an Active Directory domain that has a Root Certificate Authority, then the Root Certificate Authority certificate is placed in the client machine's Local Machine Trusted Root Certification Authorities store.

    You can view the certificates in the Local Machines Trusted Root Certificate Authority store by following these steps:

    1.       Run mmc.exe

    2.       File -> Add or Remove Snap-in

    3.       Select “Certificates” and click “Add”

    4.       Select “Computer Account” and click “Next >”

    5.       Select “Local Computer” and click “Finish”

    6.       Click OK

    7.       In the “Console Root” tree, expand “Certificates (Local Computer)”

    8.       Expand “Trusted Root Certification Authorities” and click “Certificates”

     

    On machine A, this store will contain a certificate issued to: “Primary Class 2 Certification Authority”

    On machine B, this store will NOT contain that certificate and that is why machine B does not trust https://example.com

     

    Can you explain why you would like machine B to trust that website?

    Can you join machine B to the domain that trusts the “Primary Class 2 Certification Authority”?

     

    If you cannot join machine B to that domain, then another solution is to manually install the “Primary Class 2 Certification Authority” into machine B’s “Trusted Root Certification Authorities”. To do this, follow these steps:

    1.       In the “Trusted Root Certification Authorities” store on machine A:

    a.       Right-click the “Primary Class 2 Certification Authority” certificate

    b.      Select “All Tasks” and click “Export”

    c.       Click “Next >”

    d.      Select “DER encoded” and click “Next >”

    e.      Save the file to a USB stick or someplace accessible from machine B and click “Next >”

    f.        Click “Finish”

    2.       On machine B:

    a.       Open the certificate file exported from machine A

    b.      Click “Install Certificate” and click “Next >”

    c.       Select “Place all certificates in the following store”

    d.      Click “Browse” and select the “Trusted Root Certification Authorities”

    e.      Click “OK”, then click “Next >”

    f.        Click “Finish”

    g.       Click “OK” on the “Security Warning”

    3.       On machine B, try to open https://example.com

     

    I hope that helps,

    John

    • Propuesto como respuesta John Nobile martes, 16 de noviembre de 2010 22:38
    • Marcado como respuesta misvin miércoles, 17 de noviembre de 2010 10:58
    martes, 16 de noviembre de 2010 22:21
  • Hi John,

    Thank you for the detailed answer. The bottom line: it works now.

    But I have new questions and I want to understand how certificates work So, if need, I can open new threads.

    1. What is difference between Certificates (Local Computer), Certificates (Current User) and Certificates (Service)?
    I see that Certificates (Local Computer) and Certificates (Current User) contain the similiar information: folder names, certificates (approx. 60-70%).
    Is it like HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER in the registry?

    2. Is there more short path to access/view Certificates (Local Computer)? For example, to access Certificates (Current User) I can Run command certmgr.msc. 

    miércoles, 17 de noviembre de 2010 11:14
  • Hi,

    1. Yes, the Local machine certificate store and the user certificate store are like the LM and CU registry hives: each user that logs on to that machine will have their own set of certificates, either auto enrolled from the Active Directory or manually installed. On the other hand, the Local machine store will have the same set of certificates independent of the logged on user. Some operations, like establishing that another server is trustworthy, require machine trust. Other operations, like sending an encrypted email, require a user specific certificate that no other user should be able to access.

    2. When you open the Local machine store as noted above, you can "File -> Save" the MMC console with any consoles loaded that you desire. This will serve as a shortcut similar to certmgr.msc and you can copy the saved file to other computers if you wish. There is no built-in way to open the Local Machine store that is faster than what I already suggested.

    Thanks!

    John

    • Propuesto como respuesta John Nobile miércoles, 17 de noviembre de 2010 17:10
    • Marcado como respuesta misvin miércoles, 17 de noviembre de 2010 20:59
    miércoles, 17 de noviembre de 2010 17:03
  • Hi John,

    Thanks for your professional answers.

    You asked me: "Can you explain why you would like machine B to trust that website?
    Can you join machine B to the domain that trusts the “Primary Class 2 Certification Authority”?"

    I would like machine B to trust that website (https://example.com) because I don't want to see Certificate Error: "Untrusted certificate" when I access that website.

    I can, but I don't want to join machine B to a domain.

    ===============================================================

    If it isn't very difficult for you, please explain me how it works:
    I have installed Windows 7 with Internet Explorer 8. Internet Explorer 8 installation has built-in certificates like Verisign CA. Now I try to connect site https://www.bankXYZ.com that have certificate which was signed by Verisign Company.
    I want to know (step-by-step) how I get access to the site https://www.bankXYZ.com (how certificate mechanism works): ALL request transactions my computer <-> website server to validate certificate authentication.
    Which information is sent between my computer and website server?
    Does Internet Explorer copy the certificate from bank website  to my computer?

    Thanks

    miércoles, 17 de noviembre de 2010 21:38
  • Hi,

    To see the true step-by-step, you can enable CAPI logs, got to an "https" site, and examine the logs from start to finish.

    An very detailed walk-through of what exactly happens is here: http://technet.microsoft.com/en-us/library/cc749296(WS.10).aspx

    Thanks,

    John

    • Propuesto como respuesta John Nobile jueves, 18 de noviembre de 2010 19:15
    • Marcado como respuesta misvin jueves, 18 de noviembre de 2010 19:29
    jueves, 18 de noviembre de 2010 0:15