+ Post New Thread
Results 1 to 7 of 7
Internet Related/Filtering/Firewall Thread, Help with root certs please :) in Technical; So following on from this thread: http://www.edugeek.net/forums/intern...me-please.html it appears that our Windows 7/8 machines cannot access https://extranet.hse.gov.uk/lfserver/external/F2508IE due to a ...
  1. #1

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,735
    Thank Post
    1,272
    Thanked 1,645 Times in 1,101 Posts
    Blog Entries
    22
    Rep Power
    505

    Help with root certs please :)

    So following on from this thread: Quickly check something for me please? it appears that our Windows 7/8 machines cannot access https://extranet.hse.gov.uk/lfserver/external/F2508IE due to a cert error. Our XP machines are fine.

    cert2.PNGcert1.PNG

    I can't get my head around the problem as Win 7 is supposed to auto grab certs as it visits pages right? So what can I do about this?

  2. #2
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,349
    Thank Post
    66
    Thanked 175 Times in 147 Posts
    Rep Power
    60
    Quote Originally Posted by sparkeh View Post
    So following on from this thread: Quickly check something for me please? it appears that our Windows 7/8 machines cannot access https://extranet.hse.gov.uk/lfserver/external/F2508IE due to a cert error. Our XP machines are fine.

    cert2.PNGcert1.PNG

    I can't get my head around the problem as Win 7 is supposed to auto grab certs as it visits pages right? So what can I do about this?
    Are these machines updated? Windows update would usually pick up any new root certs, this one is signed by verisign which should be a globally trusted certificate in the OS itself.

  3. #3

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,735
    Thank Post
    1,272
    Thanked 1,645 Times in 1,101 Posts
    Blog Entries
    22
    Rep Power
    505
    Quote Originally Posted by Jamo View Post
    Are these machines updated? Windows update would usually pick up any new root certs, this one is signed by verisign which should be a globally trusted certificate in the OS itself.
    Updates won't help - windows 7 doesn't get its root certs from windows update, but anyhow the machines are fully patched.

    Ok so, the cert it is looking for is "VeriSign Class 3 International Server CA - G3" which is an 'Intermediate Certification Authority" and doesn't appear on our Win 7 machines.
    Installed it and the site works.

  4. #4


    Join Date
    Dec 2005
    Location
    In the server room, with the lead pipe.
    Posts
    4,630
    Thank Post
    275
    Thanked 777 Times in 604 Posts
    Rep Power
    223
    Quote Originally Posted by sparkeh View Post
    Updates won't help - windows 7 doesn't get its root certs from windows update, but anyhow the machines are fully patched.
    That's not strictly true. Microsoft originally said they wouldn't be pushing any out via WSUS or Windows Update, but they've pushed out several Root cert updates for Windows 7 if you use WSUS.

    KB931125 was the latest in Dec 2012. A quick reading would imply it's XP only, but...

    Screen Shot 2013-03-07 at 10.55.54.png

    They're under the general "updates" classification.
    Last edited by pete; 7th March 2013 at 11:01 AM.

  5. Thanks to pete from:

    sparkeh (7th March 2013)

  6. #5

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,735
    Thank Post
    1,272
    Thanked 1,645 Times in 1,101 Posts
    Blog Entries
    22
    Rep Power
    505
    Thanks @pete I didn't know that, all the MS literature states they don't so this but yes I have Dec 2012 Root Updates in WSUS.
    However, turned out it wasn't a root cert issue

  7. #6

    Join Date
    Apr 2010
    Posts
    2,036
    Thank Post
    83
    Thanked 187 Times in 154 Posts
    Rep Power
    83
    Updates won't help - windows 7 doesn't get its root certs from windows update, but anyhow the machines are fully patched.
    Yep our certs will not work on W7 until I have run the updates.

  8. #7

    sparkeh's Avatar
    Join Date
    May 2007
    Posts
    6,735
    Thank Post
    1,272
    Thanked 1,645 Times in 1,101 Posts
    Blog Entries
    22
    Rep Power
    505
    Ok let me slightly revise what I said earlier:
    From Windows root certificate program members
    Windows Vista, Windows 7

    Root certificates on Windows Vista and later are distributed via the automatic root update mechanism – that is, per root certificate. When a user visits a secure Web site (by using HTTPS SSL), reads a secure email (S/MIME), or downloads an ActiveX control that is signed (code signing) and encounters a new root certificate, the Windows certificate chain verification software checks Microsoft Update for the root certificate. If it finds it, it downloads the current Certificate Trust List (CTL) containing the list of all trusted root certificates in the Program, and verifies that the root certificate is listed there; it then downloads the specified root certificate to the system and installs it in the Windows Trusted Root Certification Authorities Store. If the root certificate is not found, the certificate chain is not completed, and the system returns an error. To the user, a successful root update is seamless. The user does not see any security dialog boxes or warnings. The download happens automatically. In addition, Windows Vista and later client SKUs support weekly pre-fetching from Microsoft Update to check for updated root certificate properties (for example, extended validation (EV), code signing or server authentication properties, which are certificate properties added to a root certificate).
    Interesting that they decided to push some out via WSUS.

SHARE:
+ Post New Thread

Similar Threads

  1. Help with some ideas please
    By laserblazer in forum General Chat
    Replies: 2
    Last Post: 2nd February 2012, 05:13 PM
  2. Need help with batch files please!
    By richrad_mills in forum Windows
    Replies: 13
    Last Post: 23rd June 2010, 07:24 PM
  3. Need Help With Corrupted Documents Please
    By james_richards in forum Office Software
    Replies: 16
    Last Post: 11th February 2009, 12:52 PM
  4. Help with KIX script please
    By salan in forum Windows
    Replies: 8
    Last Post: 8th November 2007, 06:55 PM
  5. Help with iPod choice please.
    By Kyle in forum General Chat
    Replies: 17
    Last Post: 4th January 2007, 10:14 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •