Certificate Issuer untrusted or unknown - Win7 64 bit
On the 3 Windows 7 SP1 64bit workstations we have in our domain (DC is running Server 2003), I have been receiving several security alerts about certificates.
"This page requires a secure connection which includes server authentication. The Certificate Issuer for this site is untrusted or unknown. Do you wish to proceed?"
From there I am usually able to view the certificate and it will say "This certificate cannot be verified up to a trusted certification authority." When I go to install the certificate, I direct it to install in the Trusted Root Certification Authorities
store. Sometimes this resolves the issue, but in some cases I still continue to get the error.
Computer date and time are correct, certificate is not expired, UAC is disabled, I have tried disabling the proxy server, firewall, and Trend Micro OfficeScan services, and all Windows Updates are installed monthly, including KB2524375
http://www.microsoft.com/en-us/download/details.aspx?id=9490
This is not happening on any of the XP SP3 PCs in the same environment, I'm only having these certificate errors on the 3 Windows 7 SP1 64bit computers.
Any assistance would be appreciated.
May 2nd, 2012 4:19pm
Hi ,
Could you tell me when did these security alerts pop up?
How did you configure the security settings on the Internet Explorer?
The IE certificate trust dialog contains three bits of information about the certificate.
a. Whether the cert is from a trusted authority.
b. Whether the dates are valid or not.
c. Whether the name on the cert matches the site.
Please check if the certificate has been generated with the proper usages. To see Key Usage do the following:
1. View the certificate
2. click the details tab
3. look for Key Usage and highlight that row
4. You should have the following usages: Digital Signature , Non-Repudiation , Key Encipherment , Data Encipherment(F0)
Most important are Non-Repudiation and Data Encipherment
Also, this issue can be caused by the high security settings, antivirus or firewall which the access.
Please also test the issue in
Clean Boot and see if it still will pop up again.
After that, please refer to the following link to configure the security settings in IE:
Change Internet Explorer Security settings
And try this:
Open IE, click Tools>Internet Options>Advanced>Restore Advanced Settings, IE Options>Advanced>Uncheck Check for server certificate revocation.
Hope it helps.Tracy Cai
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 4th, 2012 2:32am
Thank you Tracy,
One example of when the security alert will pop up is when a user first logs in, they will get one associated with the Java Platform SE Auto Updater 2.0 that runs ar startup.
The only key usages shown for this certificate are: Digital Signature, Key Encipherment (a0). How can I add the Non-Repudiation and Data Encipherment usages?
This specific popup isn't an issue when tested in Clean Boot as all startup items get disabled. Even if I disable all non Microsoft services and just run this startup item, the issue still occurs.
This is a brand new computer so I have not manually set any of the IE security settings yet. So it should be receiving the default settings. The only IE settings that are received through GP are the proxy server settings and exemptions and all the other
machines in the company that are NOT receiving these issues have the same policy.
Even after configuring the security settings as outlined in your response, the alert still occurs.
I will test with several of the other alerts I've been getting on some of the computers and see if any of your suggestions are able to remedy specific ones.
May 4th, 2012 11:12am
Hi ,
Since the issue didnt occur in Clean Boot, please perform the step 2 to step 7 in
Clean Boot to
narrow down the cause.
Best Regards,
Tracy CaiTracy Cai
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 6th, 2012 10:41pm
Tracy,
I performed these steps the other day. As noted in my previous response, when testing the Clean Boot, the specific instance of the certificate issue is tied to the Java Platform SE Auto Updater 2.0 startup item. So it will not occur unless that startup
item is enabled. If that is the only item enabled in services and startup, I still get the error.
I will be testing with other certificate error message that are not associated with startup items .
May 7th, 2012 8:24am