Certificate problem

[Guest]

When viewing certain site I get:
The security certificate was issued by a company you have chosen not to trust.

How can I make the browser to accept that company and certificate?

 

[Vanguard]

When viewing certain site I get:
The security certificate was issued by a company you have chosen not
to trust.

How can I make the browser to accept that company and certificate?

A certain site. Yep, that was clear. Next time tell *us* what is the
site if you really want help with that site. Otherwise, an equally
vague response might be: check the sites listed in your security zones.

 

[Jan Il]

Hi Merike

You don't mention which version of Windows or IE you have, and I'm not sure
what may be causing the problem, but, you might try the following as it
applies to your OS and version of IE and see if it helps:

Check the date and time of your computer clock and be sure it is absolutely
correct. Every Certificate has an expiration and start date. When your
clock time or date is off, even just a few minutes or hours, it may think
the certificates are not valid and pop up an alert telling you that it's not
valid, or expired, for your own protection. So, be sure to check that your
machine date and time are correct every time you first log on.

also.....

To disable the Certification alerts:

Go to Tools>Internet Options>Advanced tab>scroll down to 'Warn about invalid
site
certificates" and make sure it is Unchecked.

If that does not work, you might also try:

Go to Tools>Internet Options>Security tab>highlight Internet>click Custom
level tab>scroll down and Uncheck the button next to "Don't prompt for
client certificate selection when no certificates or only one certificate
exists."

You might also try adding adding the site to the Trusted Sites in the
Tools>Internet Options>Security tab and see if that helps as well.

Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Guest]

The site I have problem with is www.ekool.ee.
My browser is IE 6 with SP2 and OS XP Professional.

My clock shows the right date and time and the expiration date of
certificate shouldn't matter since it expires in November 2005. The only
error it shows is mentioned above, it even says the certificate is valid.

Adding site to trusted sites list didn't help. I viewed the sertificate and
it shows that it is issued by KLASS3-SK. Is there list for trusted
certificate issuers so I can add that one?

 

[Jan Il]

Hi Merike

I went to the site you have posted here. I get the same Certificate alert.
As far as I can tell, it is asking you to verify if you want to go there, as
the company that issued the certificate is not in your Trusted Zone. It
a[appears to have something to do with Estonia.

Have you tried disabling the alerts as I suggested in my other reply? Did
you get any error message other than the one you originally posted?

Go to Tools>Internet Options>Security tab>highlight Internet>click Custom
level tab>scroll down and Uncheck the button next to "Don't prompt for
client certificate selection when no certificates or only one certificate
exists."

also...

Here is a step by step process to enter the site to your Trusted Zone:
http://surfthenetsafely.com/ieseczone7.htm


Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[Vanguard]

The site I have problem with is www.ekool.ee.
My browser is IE 6 with SP2 and OS XP Professional.

My clock shows the right date and time and the expiration date of
certificate shouldn't matter since it expires in November 2005. The
only
error it shows is mentioned above, it even says the certificate is
valid.

Adding site to trusted sites list didn't help. I viewed the
sertificate and
it shows that it is issued by KLASS3-SK. Is there list for trusted
certificate issuers so I can add that one?

Going to www.ekool.ee results in this site forcing a secure connection
(i.e., it wants to use SSL for an HTTPS connect). I get "revocation for
this certificate is not available". That means IE couldn't contact the
CA (certificate authority) listed in the certificate to verify that it
has not been revoked. Yes, the content of the certificate is okay
because it has not been altered. Even an expired or revoked certificate
can be "okay" regarding its content if it has not been modified.

When you visit https://mail.yahoo.com and double-click on the padlock
icon in the status bar, the cert details under the CRL Distribution
Points shows a contact URL where to check for revocation
("URL=http://crl.verisign.com/RSASecureServer.crl" for Yahoo Mail, which
uses Verisign). For your www.ekool.ee site, its CRL is listed as
"URL=http://www.sk.ee/crls/klass3/klass3.crl", which isn't reachable,
down, or the path is invalid to the .crl revocation file). Yet I was
able to download that .crl file so I don't know why IE couldn't check it
for revocation of the cert used at the www.ekool.ee site. I did see
that the cert's serial number for that site and those listed in their
..crl revocation list were pretty short at just 4 bytes long (32 bits).
The serial number for Yahoo Mail's cert is 16 bytes long (128 bits), as
is the cert's serial number for my bank's secured web page, as is
PayPal's, eBay's, and several other HTTPS sites that I checked.
ekool.ee's serial number is the shortest that I remember seeing, so
maybe they aren't valid. Although I glanced at several sites discussing
how PKI works, they didn't mention how serial numbers are managed.
Could be that is CA dependent (i.e., their choice). However, it looks
like ekool.ee is getting their cert from sk.ee and 4 bytes gives them
3,000 times the number of serial numbers as for their population. I did
find:

"The serial number MUST be a positive integer assigned by the CA to each
certificate. It MUST be unique for each certificate issued by a given CA
(i.e., the issuer name and serial number identify a unique certificate).
CAs MUST force the serialNumber to be a non-negative integer.
Given the uniqueness requirements above, serial numbers can be expected
to contain long integers. Certificate users MUST be able to handle
serialNumber values up to 20 octets. Conformant CAs MUST NOT use
serialNumber values longer than 20 octets. "

But that doesn't specify any minimum length for the serial number. Also
note that they are forcing an HTTPS connection and something you have
configured in IE prompts that you are trying to make that secured
connection but haven't included that site as trusted.

 

[Guest]

The don't prompt ... option is enabled.
That is the only error I get, but the reason why it disturbs me is that it
doesn't appear once but as far as I can tell everytime it sends or receives
info and loads file from the server even an image..
Also I added it to the trusted zone but so far no luck resolving the problem.

 

[Jan Il]

Hi Merike

The don't prompt ... option is enabled.
That is the only error I get, but the reason why it disturbs me is that it
doesn't appear once but as far as I can tell everytime it sends or
receives
info and loads file from the server even an image..
Also I added it to the trusted zone but so far no luck resolving the
problem.

Vanguard may have the information you need posted here for you, so give that
a try. Certificates can be tricky items to deal with.

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

--
You can't know everything about everything.

Hi Merike

I went to the site you have posted here. I get the same Certificate
alert.
As far as I can tell, it is asking you to verify if you want to go there,
as
the company that issued the certificate is not in your Trusted Zone. It
a[appears to have something to do with Estonia.

Have you tried disabling the alerts as I suggested in my other reply?
Did
you get any error message other than the one you originally posted?

Go to Tools>Internet Options>Security tab>highlight Internet>click Custom
level tab>scroll down and Uncheck the button next to "Don't prompt for
client certificate selection when no certificates or only one certificate
exists."

also...

Here is a step by step process to enter the site to your Trusted Zone:
http://surfthenetsafely.com/ieseczone7.htm


Hope this helps

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or other
readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

 

[shiufun]

Hi Merike

The don't prompt ... option is enabled.
That is the only error I get, but the reason why it disturbs me is that it
doesn't appear once but as far as I can tell everytime it sends or
receives
info and loads file from the server even an image..
Also I added it to the trusted zone but so far no luck resolving the
problem.

Vanguard may have the information you need posted here for
you, so give that
a try. Certificates can be tricky items to deal with.

Jan
MS MVP - IE/OE
Smiles are meant to be shared,
that's why they're so contagious.

Replies are posted only to the newsgroup for the benefit or
other readers.
How to make a good newsgroup post:
http://www.dts-l.org/goodpost.htm

--
You can't know everything about everything.


:

 >> Hi Merike
 >>
 >> I went to the site you have posted here. I get the
same Certificate
 >> alert.
 >> As far as I can tell, it is asking you to verify if
you want to go there,
 >> as
 >> the company that issued the certificate is not in
your Trusted Zone. It
 >> a[appears to have something to do with Estonia.
 >>
 >> Have you tried disabling the alerts as I suggested in
my other reply?
 >> Did
 >> you get any error message other than the one you
originally posted?
 >>
 >> Go to Tools>Internet Options>Security
tab>highlight Internet>click Custom
 >> level tab>scroll down and Uncheck the button next
to "Don't prompt for
 >> client certificate selection when no certificates or
only one certificate
 >> exists."
 >>
 >> also...
 >>
 >> Here is a step by step process to enter the site to
your Trusted Zone:
 >> http://surfthenetsafely.com/ieseczone7.htm
 >>
 >>
 >> Hope this helps
 >>
 >> Jan
 >> MS MVP - IE/OE
 >> Smiles are meant to be shared,
 >> that's why they're so contagious.
 >>
 >> Replies are posted only to the newsgroup for the
benefit or other
 >> readers.
 >> How to make a good newsgroup post:
 >> http://www.dts-l.org/goodpost.htm

That solution does not work. I also ran into the same problem with
IE verify the CRL

Description :
I have created an internet certifier (self-signed certificate), crl
signed by the same certifier with root key, and a server certificate
which I will used for the SSL server (foo.bar.com).

the server certificate contains cdp extension (I have tested both with
LDAP and HTTP for the cdp).

From the IE browser, I accept the root certificate as the trust
authority. Perform an SSL to the server (https://foo.bar.com), I
received the following message "Revocation information for the
security certificate for this site is not available. Do you want to
proceed?".

So that is strange. I then use ethereal to monitor the traffic, and
the browser did request the crl and crl was returned to the machine.
And if I checked the "Temporary Internet Files" folder, the crl was
there.

Hmm. OK, next check is on the signature. Using openssl, I can verify
the signature of the CRL, it is properly signed by the certifier.

Next, I import the crl into IE. That did not solve the problem. Still
the same error "Revocation information for the security certificate
for this site is not available. Do you want to proceed?". If both the
webserver, and browser is on the same machine, the IE seems to perform
some Active Directory lookup (which returns a connection failure). But
my browser and webserver are on 2 different machines - I still run
into the issue.

HELP.. Any idea ? And did anyone run into this bizzare situation with
IE ?

 

[jaywinks]

You are not alone. I found your post on Google Groups. When prompted to
login to reply, I got the same alert from Google itself, so we are in
good company possibly. I've got to believe this bug is in IE itself (I
will be checking this). I have the same problem with my CA setup. In my
case the CRL distro points are all http, as common URL where my root
and my subordinates publish their CRLs to on a schedule. I can browse
the URLs listed in the CDPs of issued certs just fine and the CRLs are
properly signed but IE does not seem to like it. I sure hope somebody
has the right cure for this. Some of the folks that access my SSL
servers can't tell IE not to care if the CRL is unavailable. This has
been a problem for me for awhile. Anybody else have some insight?

 

[shiufun]

You are not alone. I found your post on Google Groups. When
prompted to
login to reply, I got the same alert from Google itself, so we
are in
good company possibly. I've got to believe this bug is in IE
itself (I
will be checking this). I have the same problem with my CA
setup. In my
case the CRL distro points are all http, as common URL where
my root
and my subordinates publish their CRLs to on a schedule. I can
browse
the URLs listed in the CDPs of issued certs just fine and the
CRLs are
properly signed but IE does not seem to like it. I sure hope
somebody
has the right cure for this. Some of the folks that access my
SSL
servers can't tell IE not to care if the CRL is unavailable.
This has
been a problem for me for awhile. Anybody else have some
insight?

jaywinks, could you please advise on what kind of certificate
authority that you are using ? What application do you use to create
this certificate authority (MS, OpenSSL, or other types ?)

Many thanks.