adamchapman (7th January 2010)
I'm guessing that a few people here use ipsCA as a free SSL cert provider. Following the recent root CA change, I find that browsers reject the root CA. I was assuming that IE (at least) would have grabbed the root CA from "somewhere" in an update? Perhaps I have somehow missed an update in WSUS but I will check. Im not too up on how the root CA's get updated on client machines but I would have guessed from an MS update.
Anyway, I must have set up the cert renewal correctly in IIS and imported the correct *new* intermediate and root certificates in both IIS server and the ISA 2006 server as my browser correctly states the new intermediate and new ipsCA Global CA Root.
What action have other people taken for the change? Have you installed the ipsCA Global CA Root certificate on your local machines or was there an update I have missed?
Telling the teachers to install a certificate at home will be a nightmare....
[removed after re-reading the original post!]
Last edited by tonyd; 4th January 2010 at 03:26 PM.
The users don't need to install the root certs because if they have access to windowsyodate.microsoft.com or download.microsoft.com then when they visit the page that is encrypted the OS will automatically download the root cert automatically. In networks behind the firewall or proxy servers the *.download.microsoft.com could be added so it allows the browser to connect and update the root cert automatically.
At the moment the IPSCA will work with IE but Firefox has not added the root certs on to their list and you will get cert error using firefox.
I use them, we didn't install the new certificates as in thier email it said it was due to expire on the 29th dec and I was not in work then. It's still working on the old certificates and I won't do anything until it goes tits up.
I still have the original certs in the cert stores on both the IIS boxes and my ISA box so I might switch back to see if that cures things temporarily. Just ran MS update locally on a client giving the CA root error (sp 3, IE7) still giving root cert error. As you can see it is the global certificate giving the error.
Old Certificate failed correctly on the 28th December. You can get this working again by trusting the out of date signing certificate if you need to.
New one installed fine, but does not seem to auto update on servers. Has auto updated on home machines and school machines (XP SP3, IE8).
I have teachers telling me they get the cert error message at home. I think i'll bite the bullet and get a 5 domain godaddy cert for a year until I am confident that MOST peoples machines will have updated as I have difficulty in explaining email to some of them, let alone getting a certificate pack installed.
I knew "free" was too good to be true.
So even with the intermediate certificates installed on the server using it (in our case Exchange) we'll still get the error in Firefox?
Never had this problem before the certificate change... will be a right pain if it requires updates at the client end
Wish I could order GoDaddy but it's American and will be a problem for PO's by looks of it...
If I install the cert pack update then all is well. However, this screenshot is taken from a staff laptop that has automatic updates enabled. It is windows XP and has IE7 on it. The new intermediate cert is being served up along with the chain reporting back to the new root CA - however the root CA is not trusted.
Some (maybe most probably) will have little difficulty - perhaps there is some rhyme or rule that gets IE to check for new root CA's. Although there are other large establishments out there who have identical issues (when I was googling the problem).
It all boils down to what you want. If you want a seamless no problems SSL cert then IPSCA isnt the one for you at the moment (hey its free!). If you are using it for internal use and maybe staff only then go for it.
Have to say - the new root certificate is working fine for us.
I have checked that it is auto updating on XP as follows (running on a student low privalege login):
1. Checked that the only relevant trusted root certificate is the old one
2. Access the secure site. The server has the new certificate and the new intermediate CA and the new root CA in the relevant places.
3. Client machine seems to realise that it may need to update the certificates and initiates a connection to microsoft. These are logged in the event log by crypt32. The messages are as follows:
Successful auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>
Successful auto update retrieval of third-party root list cab from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>
and then 14 seconds later:
Successful auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/3C71D70E35A5DAA8B2E3812DC3677417F5990DF3.crt>
Successful auto update of third-party root certificate:: Subject: <Eemail@example.com, CN=ipsCA Global CA Root, OU=ipsCA, O=IPS Certification Authority s.l. ipsCA, L=Madrid, S=Madrid, C=ES> Sha1 thumbprint: <3C71D70E35A5DAA8B2E3812DC3677417F5990DF3>
4. Page displayes fine with no warnings
5. New root certificate is now in the store with the old one.
Now, The site makes some reference to this process only working if you use IE and not Firefox, and indeed I suspect that if it cannot get a connection to the microsoft site at that moment it will fail but it has worked fine for us on all machines so far.
Do your machines attempt to make this link out to Microsoft? You should be able to see either a success or failure in the event log.
Hope this helps
I fixed the internal machines by added the KB (suggested above) to WSUS.
The 2 laptops that still had issues were standalone teacher personal ones (I couldnt be bothered fault finding so I simply installed the same KB). since these machines were personal ones (with automatic updates switched on) then they might have some odd firewall or other MS updates issues - either way you might have fun with some external machines not playing ball.
You need to install both the global cert into the Trusted Root Certification authorities and the Level 1 cert in the Intermediate Certification authorities on the servers where the certificate is bound to a site. This is detailed in the instructions but once this is done then the error you seeing with be gone and the cert will be fully validated.
Remember that if you have ISA you need to import them on the ISA server also - not just your IIS machine (and exchange IIS if you have a different machine for OWA etc). To swap over your ISA SSL Listener certificate at the same time you swap over your IIS directory security certificate too. The first time I installed the intermediate (old) certificate I did need to restart ISA2006, the second time I when I was "renewing" my certificate I did not need to restart the ISA server in order to serve the intermediate certificate.
As for godaddy - yes, PO's are a problem. It is one of the only two occasions that I pay on my credit card and claim back (the other is a foreign laptop spare parts company)
Last edited by KK20; 7th January 2010 at 08:50 AM.
I'm still waiting for my certs to come though!!! What the heck is the holdup my SharePoint portal is broken as ISA server is upset about expired certificates.
There are currently 1 users browsing this thread. (0 members and 1 guests)