none
Unable to Install Root CA Certificate - Certificate cannot be verified up to a trusted certificate authority.

    Question

  • Hi,

    I am trying to install CA root certificate on Windows 7, IE 9.

    Encounter error: "Untrusted Certificate".  "This certificate cannot be verified up to a trusted certificate authority."

    I have tried to install the certificate to Trusted Root Certificate Authorities->local computer and import was successful. BUT on IE->Internet Options->Certificate->Trusted Root Certificate Authorities, I am unable to find this root CA on the list.

    On mmc->Certificates->Trusted Root Certificate Authorities->certificates, I am able to view this root CA.

    I then restarted the IE and view the ssl site again but failed too, "Untrusted Certificate".

    Anyone, any idea ?

    Regards,

    Eye Gee

    Tuesday, February 18, 2014 7:13 AM

Answers

  • May the following workarounds work for you:

    Workaround 1:

    Modify the Windows settings to allow the Update Root Certificate feature to update the root certificates automatically. For details, see the following Microsoft TechNet article:

    Certificate Support and Resulting Internet Communication in Windows Server 2008

    http://technet.microsoft.com/en-us/library/cc771121(WS.10).aspx

    Workaround 2:

    If the Update Root Certificate feature cannot automatically update the root certificates, you may contact the website vender to see if there is a hotfix can fix the issue.

    Tuesday, February 25, 2014 9:52 AM

All replies

  • Hi,

    If you install the certificate but then cannot see it please read the following KB article:

    You cannot view certificate information in Windows Internet Explorer 7 or in Certificate Manager after you successfully import a certificate on a Windows Vista-based computer(although it applies to Windows Vista)

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;932156

    This is also because of this: Microsoft Security Advisory: Update for minimum certificate key length

    http://support.microsoft.com/kb/2661254

    To get rid of the error, you can self-signed certificate for a secured website in Internet Explorer.

    To do this, follow these steps:

    1. In Explorer Options, add the URL to your trusted sites. Exit Explorer.
    2. In Windows Internet Explorer, click Continue to this website (not recommended).
     A red Address Bar and a certificate warning appear.

    3. Click the Certificate Error button to open the information window.
    4. Click View Certificates, and then click Install Certificate.
    5. On the warning message that appears, click Yes to install the certificate and place it in your trusted certificates authority.
    6. Exit Explorer then open the page again. Error should be gone.

    I also would like to suggest you refer to the link below to learn more about certificates:

    Certificate errors: FAQ

    http://windows.microsoft.com/en-HK/internet-explorer/certificate-errors-faq#ie=ie-11

    Understanding Certificate Revocation Checks

    http://blogs.msdn.com/b/ieinternals/archive/2011/04/07/enabling-certificate-revocation-check-failure-warnings-in-internet-explorer.aspx

    Hope it helps.

    Regards,

    Blair Deng


    Blair Deng
    TechNet Community Support

    Wednesday, February 19, 2014 6:50 AM
    Moderator
  • Blair Deng,

    Thank you for the information.

    I have read the mentioned documents,

    1. I have read permission on HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\Root\ProtectedRoots .

    2. Public key size is 1024.

    3. Have tried to add the certificate many times to Trusted Root Certificate Authorities and import was successful.

    However the certificate is still "Untrusted Certificate".

    On mmc->Certificates->Trusted Root Certificate Authorities->certificates, I am able to view this root CA.

    However "Windows does not have enough information to verify this certificate", "The issuer of this certificate could not be found".

    Anyone, any other recommendations ?

    Regards,

    Eye Gee

    Wednesday, February 19, 2014 9:18 AM
  • Hi Eye Gee,

    Thank you for your update.

    Possible causes of such errors are that the system click is set to the wrong date and time or that IE has stored in the past a certificate that has now expired.

    I would like to suggest you make sure your PC's date and time is correct and do an IE reset ( go to Internet Options, Advanced Tab and hit the reset button).

    Please understand that reset Internet Explorer to its default configuration. This step will also disable any add-ons, plug-ins, or toolbars that are installed.

    You may check if the old certificate is installed, if yes, please uninstall the old root certificate and then install the new one.

    In addition, you may contact the web server vender to work on getting his certificate trusted and not expired.

    Hope it helps.

    Regards,

    Blair Deng


    Blair Deng
    TechNet Community Support

    Thursday, February 20, 2014 1:47 AM
    Moderator
  • Blair Deng,

    Thank you for your explanation.

    The certificate is not expired. It is valid from 2/12/2013 to 1/12/2023.

    *********************************************

    When:

    3. Click the Certificate Error button to open the information window.
    General->This certificate cannot be verified up to a trusted certificate authority.

    Certification path-> This CA Root certificate is not trusted because it is not in the Trusted Root Certificate Authorities store.

    4. Click View Certificates, and then click Install Certificate.

    "The import was successful".  However it does not seems to be installed under the  "Trusted Root Certificate Authorities".

    *********************************************

    On mmc->Certificates->Trusted Root Certificate Authorities->certificates, I am able to view this root CA.

    However "Windows does not have enough information to verify this certificate", "The issuer of this certificate could not be found".

    *********************************************

    Regards.

    Eye Gee

    Thursday, February 20, 2014 4:27 AM
  • May the following workarounds work for you:

    Workaround 1:

    Modify the Windows settings to allow the Update Root Certificate feature to update the root certificates automatically. For details, see the following Microsoft TechNet article:

    Certificate Support and Resulting Internet Communication in Windows Server 2008

    http://technet.microsoft.com/en-us/library/cc771121(WS.10).aspx

    Workaround 2:

    If the Update Root Certificate feature cannot automatically update the root certificates, you may contact the website vender to see if there is a hotfix can fix the issue.

    Tuesday, February 25, 2014 9:52 AM
  • Hi Eye Gee

    I was wondering if you found a solution to your problem as I am having the exact same problem?

    Regards

    Ortho6Keys

    Monday, November 3, 2014 10:11 PM
  • Hello,

    I'm having the same issue.  Did anyone find a solution for this?

    Thanks!

    • Proposed as answer by Leunam11 Thursday, August 27, 2015 7:06 PM
    Monday, November 24, 2014 11:22 PM
  • See the link below

    http://www.kozeniauskas.com/itblog/2011/06/27/windows-does-not-have-enough-information-to-verify-this-certificate/

    • Proposed as answer by SnafTech Tuesday, February 13, 2018 3:24 PM
    Thursday, August 27, 2015 7:07 PM
  • So basically the (root) certificate had an issuer that is not trusted, either because it is not installed or because there's something else wrong with it. I was able to see the certificates I tried to install in certmgr.msc, but they did not show up in the Internet Explorer certificates dialog. After installing the certificate of the issuer I was finally able to get it to work. Does make sense, would have been nice if the UI was a bit more clear about it though. Windows Server 2012R2 btw.

    • Edited by SnafTech Tuesday, February 13, 2018 3:23 PM
    Tuesday, February 13, 2018 3:22 PM
  • SnafTech, thanks for your comment. It wasn't clear at first, but now I see that, Windows doesn't display the certificate chain completely, so while OP was on the right track, there were even more levels!

    See the before and after below:

    Before

    Before


    After (in case someone happens to be looking for literally the same cert, I found them here)

    After



    Mike Crowley

    My Blog | MikeCrowley.US

    Baseline Technologies | Baseline.Consulting

    Being ignorant is not so much a shame, as being unwilling to learn

    -Ben Franklin

    Wednesday, March 6, 2019 2:54 AM