+ Post New Thread
Page 1 of 3 123 LastLast
Results 1 to 15 of 41
Windows Thread, ipsCA Global CA Root in Technical; I'm guessing that a few people here use ipsCA as a free SSL cert provider. Following the recent root CA ...
  1. #1

    Join Date
    Oct 2008
    Posts
    213
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    21

    ipsCA Global CA Root

    I'm guessing that a few people here use ipsCA as a free SSL cert provider. Following the recent root CA change, I find that browsers reject the root CA. I was assuming that IE (at least) would have grabbed the root CA from "somewhere" in an update? Perhaps I have somehow missed an update in WSUS but I will check. Im not too up on how the root CA's get updated on client machines but I would have guessed from an MS update.

    Anyway, I must have set up the cert renewal correctly in IIS and imported the correct *new* intermediate and root certificates in both IIS server and the ISA 2006 server as my browser correctly states the new intermediate and new ipsCA Global CA Root.

    What action have other people taken for the change? Have you installed the ipsCA Global CA Root certificate on your local machines or was there an update I have missed?

    Telling the teachers to install a certificate at home will be a nightmare....

  2. Thanks to KK20 from:

    adamchapman (7th January 2010)

  3. #2
    tonyd's Avatar
    Join Date
    Mar 2006
    Location
    Kent (Sometimes), UK
    Posts
    163
    Thank Post
    17
    Thanked 42 Times in 31 Posts
    Rep Power
    24
    [removed after re-reading the original post!]
    Last edited by tonyd; 4th January 2010 at 03:26 PM.

  4. #3

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Quote Originally Posted by KK20 View Post
    I'm guessing that a few people here use ipsCA as a free SSL cert provider. Following the recent root CA change, I find that browsers reject the root CA. I was assuming that IE (at least) would have grabbed the root CA from "somewhere" in an update? Perhaps I have somehow missed an update in WSUS but I will check. Im not too up on how the root CA's get updated on client machines but I would have guessed from an MS update.

    Anyway, I must have set up the cert renewal correctly in IIS and imported the correct *new* intermediate and root certificates in both IIS server and the ISA 2006 server as my browser correctly states the new intermediate and new ipsCA Global CA Root.

    What action have other people taken for the change? Have you installed the ipsCA Global CA Root certificate on your local machines or was there an update I have missed?

    Telling the teachers to install a certificate at home will be a nightmare....
    Hi,

    The users don't need to install the root certs because if they have access to windowsyodate.microsoft.com or download.microsoft.com then when they visit the page that is encrypted the OS will automatically download the root cert automatically. In networks behind the firewall or proxy servers the *.download.microsoft.com could be added so it allows the browser to connect and update the root cert automatically.

    At the moment the IPSCA will work with IE but Firefox has not added the root certs on to their list and you will get cert error using firefox.

    Ash.

  5. #4
    jsnetman's Avatar
    Join Date
    Oct 2007
    Posts
    887
    Thank Post
    23
    Thanked 134 Times in 126 Posts
    Rep Power
    39
    I use them, we didn't install the new certificates as in thier email it said it was due to expire on the 29th dec and I was not in work then. It's still working on the old certificates and I won't do anything until it goes tits up.

  6. #5

    Join Date
    Oct 2008
    Posts
    213
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    21
    interesting....

    I still have the original certs in the cert stores on both the IIS boxes and my ISA box so I might switch back to see if that cures things temporarily. Just ran MS update locally on a client giving the CA root error (sp 3, IE7) still giving root cert error. As you can see it is the global certificate giving the error.
    Attached Images Attached Images

  7. #6
    ArchersIT's Avatar
    Join Date
    Nov 2006
    Location
    Bedfordshire
    Posts
    114
    Thank Post
    14
    Thanked 24 Times in 20 Posts
    Rep Power
    20
    Old Certificate failed correctly on the 28th December. You can get this working again by trusting the out of date signing certificate if you need to.

    New one installed fine, but does not seem to auto update on servers. Has auto updated on home machines and school machines (XP SP3, IE8).

    Jonathan

  8. #7

    Join Date
    Nov 2007
    Location
    Nottingham
    Posts
    116
    Thank Post
    7
    Thanked 23 Times in 14 Posts
    Rep Power
    17
    Same problem here, had to install the November 2009 Root update pack manually

    Download details: Update for Root Certificates [November 2009] (KB931125)

    Its also available via wsus.

  9. Thanks to PRicho from:

    adamchapman (7th January 2010)

  10. #8

    Join Date
    Oct 2008
    Posts
    213
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    21
    I have teachers telling me they get the cert error message at home. I think i'll bite the bullet and get a 5 domain godaddy cert for a year until I am confident that MOST peoples machines will have updated as I have difficulty in explaining email to some of them, let alone getting a certificate pack installed.

    I knew "free" was too good to be true.

  11. #9
    gshaw's Avatar
    Join Date
    Sep 2007
    Location
    Essex
    Posts
    2,650
    Thank Post
    164
    Thanked 217 Times in 200 Posts
    Rep Power
    66
    So even with the intermediate certificates installed on the server using it (in our case Exchange) we'll still get the error in Firefox?

    Never had this problem before the certificate change... will be a right pain if it requires updates at the client end

    Wish I could order GoDaddy but it's American and will be a problem for PO's by looks of it...

  12. #10

    Join Date
    Oct 2008
    Posts
    213
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    21
    If I install the cert pack update then all is well. However, this screenshot is taken from a staff laptop that has automatic updates enabled. It is windows XP and has IE7 on it. The new intermediate cert is being served up along with the chain reporting back to the new root CA - however the root CA is not trusted.

    Some (maybe most probably) will have little difficulty - perhaps there is some rhyme or rule that gets IE to check for new root CA's. Although there are other large establishments out there who have identical issues (when I was googling the problem).

    It all boils down to what you want. If you want a seamless no problems SSL cert then IPSCA isnt the one for you at the moment (hey its free!). If you are using it for internal use and maybe staff only then go for it.
    Attached Images Attached Images

  13. #11
    ArchersIT's Avatar
    Join Date
    Nov 2006
    Location
    Bedfordshire
    Posts
    114
    Thank Post
    14
    Thanked 24 Times in 20 Posts
    Rep Power
    20
    Have to say - the new root certificate is working fine for us.

    I have checked that it is auto updating on XP as follows (running on a student low privalege login):
    1. Checked that the only relevant trusted root certificate is the old one
    2. Access the secure site. The server has the new certificate and the new intermediate CA and the new root CA in the relevant places.
    3. Client machine seems to realise that it may need to update the certificates and initiates a connection to microsoft. These are logged in the event log by crypt32. The messages are as follows:

    Successful auto update retrieval of third-party root list sequence number from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt>

    Successful auto update retrieval of third-party root list cab from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab>

    and then 14 seconds later:

    Successful auto update retrieval of third-party root certificate from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/3C71D70E35A5DAA8B2E3812DC3677417F5990DF3.crt>

    Successful auto update of third-party root certificate:: Subject: <E=global01@ipsca.com, CN=ipsCA Global CA Root, OU=ipsCA, O=IPS Certification Authority s.l. ipsCA, L=Madrid, S=Madrid, C=ES> Sha1 thumbprint: <3C71D70E35A5DAA8B2E3812DC3677417F5990DF3>

    4. Page displayes fine with no warnings
    5. New root certificate is now in the store with the old one.

    Now, The site makes some reference to this process only working if you use IE and not Firefox, and indeed I suspect that if it cannot get a connection to the microsoft site at that moment it will fail but it has worked fine for us on all machines so far.

    Do your machines attempt to make this link out to Microsoft? You should be able to see either a success or failure in the event log.

    Hope this helps

    Jonathan

  14. #12

    Join Date
    Oct 2008
    Posts
    213
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    21
    I fixed the internal machines by added the KB (suggested above) to WSUS.

    The 2 laptops that still had issues were standalone teacher personal ones (I couldnt be bothered fault finding so I simply installed the same KB). since these machines were personal ones (with automatic updates switched on) then they might have some odd firewall or other MS updates issues - either way you might have fun with some external machines not playing ball.

  15. #13

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    737
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    36
    Quote Originally Posted by gshaw View Post
    So even with the intermediate certificates installed on the server using it (in our case Exchange) we'll still get the error in Firefox?

    Never had this problem before the certificate change... will be a right pain if it requires updates at the client end

    Wish I could order GoDaddy but it's American and will be a problem for PO's by looks of it...
    Hi,

    You need to install both the global cert into the Trusted Root Certification authorities and the Level 1 cert in the Intermediate Certification authorities on the servers where the certificate is bound to a site. This is detailed in the instructions but once this is done then the error you seeing with be gone and the cert will be fully validated.

    Ash.

  16. #14

    Join Date
    Oct 2008
    Posts
    213
    Thank Post
    2
    Thanked 11 Times in 11 Posts
    Rep Power
    21
    Remember that if you have ISA you need to import them on the ISA server also - not just your IIS machine (and exchange IIS if you have a different machine for OWA etc). To swap over your ISA SSL Listener certificate at the same time you swap over your IIS directory security certificate too. The first time I installed the intermediate (old) certificate I did need to restart ISA2006, the second time I when I was "renewing" my certificate I did not need to restart the ISA server in order to serve the intermediate certificate.

    As for godaddy - yes, PO's are a problem. It is one of the only two occasions that I pay on my credit card and claim back (the other is a foreign laptop spare parts company)
    Last edited by KK20; 7th January 2010 at 08:50 AM.

  17. Thanks to KK20 from:

    adamchapman (7th January 2010)

  18. #15
    RobFuller's Avatar
    Join Date
    Feb 2007
    Location
    Chelmsford
    Posts
    312
    Thank Post
    82
    Thanked 39 Times in 29 Posts
    Rep Power
    22
    I'm still waiting for my certs to come though!!! What the heck is the holdup my SharePoint portal is broken as ISA server is upset about expired certificates.

SHARE:
+ Post New Thread
Page 1 of 3 123 LastLast

Similar Threads

  1. Cannot log in as root
    By Teth in forum *nix
    Replies: 3
    Last Post: 30th November 2007, 02:37 PM
  2. Forest Root concerns
    By u8dmtm in forum Wireless Networks
    Replies: 1
    Last Post: 13th December 2006, 11:43 AM
  3. Root Kits
    By tickmike in forum Windows
    Replies: 3
    Last Post: 15th November 2006, 11:00 PM
  4. Now they want my server root password.
    By tickmike in forum General Chat
    Replies: 29
    Last Post: 9th September 2006, 11:23 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •