I receive the following message after binding our SSL wildcard certificate to our TFS site.
One or more intermediate certificates in the certificate chain are missing. To resolve this issue, make sure that all of the intermediate certificates are installed.
Does the certificate need to authenticate to the internet?
I've added this wildcard cert to other site binding and this is the first time I've seen this message.
How do I resolve this message?
I imported DigiCert High Assurance CA in Trusted Root on both TFS Build and Application server.
Related
I'm trying to get Jira service desk to pull mail from our server but im having certificate issues, I think.
When I try and pull mail from our server Jira pops up
SunCertPathBuilderException: unable to find valid certification path
to requested target
which seems to indicate a problem with the certificate not being trusted. So went off and grabbed a new trusted cert as the old one was self certified for "ES2010" which is the name of the server.
AFAIK the new certificate has been installed but.
It seems like *.domainname.co.uk is where the trusted cert has been issued for is taking precident over owa.domainname.co.uk.
If I goto https://www.digicert.com and check out the cert it seems ok BUT if I use the Portecle app from Jira
Examine the SSL / TLS connection on port 993 (secure imap) it shows as being issued by CN=ES2010
Can anyone kindly help?
I have uploaded a PFX file into the Azure portal including the entire certificate path with all intermediate certificates (of which there are two). However, Azure fails to pass one of these to clients (browsers) so these fail to validate the certificate. Here's the certification path:
And here's the certificate as seen by a browser visiting my website:
As you can see, while the QuoVadis CSP - PKI Overheid CA - G2 certificate is provided, the path is incomplete since Staat der Nederlanden Organisatie CA - G2 is missing.
I'm sure the PFX isn't the problem, a simple certutil -dump shows the entire chain is there.
Does anyone know if I'm doing something wrong and if so, what?
I think that QuoVadis CSP intermediate cert is mis-configured. They are using a SSL address on their AIA extension. If they simply fix that to use HTTP instead, to point to the issuer CRL, then it should work for you.
The AIA setting they have pointing to this HTTPS address... if you browse to that path in the browser you'll see that the SSL cert on that address also uses the same cert chain and uses same QuoVadis CSP intermediate cert with same SSL url in the AIA extension, thus pointing to itself... possibly causing headaches for cert trust chain building logic not coded to protect against this AIA recursion.
I have website hosted on IIS. My main issue is that I want only users with a specific certificate installed to be able to access the site. I tried to follow some tutorials but I can't find anyone covering both server and client side, since I can't get it to work.
I have some questions to the main issue:
What kind of certificate should I use (domain/selfed signed in IIS 7.5)? I do have access to a Active Directory Certificate Services where I can create other types of certificates (CA), but the problem is when trying to import them to my IIS ("certificate cannot be used as an ssl server certificate")
I would like to use a CA certificate, but is that possible when using IIS? Or do I need to write all the code the check if the user has the right certificate?
When created a certificate for the website (e.g. though IIS)..How do I create user certificates that are trusted by the server certificate?
As you may noticed by now I'm not sure how to do all of this, and would really like some help..
Server should use SSL server certificate. This certificate has to have Server Authentication extension in Extended key usage. Server certificate should have SAN extension (Subject alternative name) with domain name of server as DNS name (i.e. somesite.com)
CA certificate has to be imported to Trusted root store (preferably Local Machine) on both server and client machines.
Client certificate should contain Client Authentication extension in Extended key usage.
All EndEntity (client and server) certificates should have CRL distribution point in them where there is URL to CRL that is issued by CA. CRL has to be accessible by both client and server and should be always valid.
You can use XCA for training purposes. It has a nice GUI and it has templates for CA, SSL server and SSL client certificates by default. Then you can mimic these certificates in your Active Directory Certificate Services. Documentation and some guides can be found here.
I get the following error message.
You have asked Firefox to connect securely to www.gstatic.com, but we can't confirm that your connection is secure.
Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.
What Should I Do?
If you usually connect to this site without problems, this error could mean that someone is trying to impersonate the site, and you shouldn't continue.
This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.
www.gstatic.com uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
(Error code: sec_error_unknown_issuer)
Can someone please help me to solve this issue :'(
You're receiving this error message because the certificate for the site isn't valid. In order to communicate using SSL with a site, the site must provide a valid certificate. There are a number of things necessary for a valid certificate, but one factor is the certificate must be issued by a trusted certificate authority, or CA. Your browser is preconfigured with a set of trusted CAs, but for this particular site, the issuer is not part of that set of trusted authorities.
Furthermore, since the site is using HSTS (HTTP Strict Transport Security), an exception cannot be made for this certificate.
You'll need to view the certificate and see who issued the certificate (the CA) and whether that is a real CA. The certificate may be self-signed, which means the site issued their own certificate without a trusted CA. If you wish to continue, you'll have to install the issuer's certificate as a trusted CA in your browser. However, do not install the issuer's certificate if you cannot verify their identity as a trusted CA.
This article on your particular error may provide guidance on why you're seeing this message. Here's a general description on how SSL works and what roles certificates and CAs play.
With regard to the first solution, if you end up having to install a CA cert into your Firefox browser, click Edit Trust and check the "This certificate can identify websites" checkbox. If that checkbox is not checked, then Firefox will still not trust websites who issue certificates signed by that CA.
I'm new to mutual SSL. Therefore my understanding how client certifcates might be wrong.
When using Client certificates in IIS, do they need to be issued from the same certificate (or CA) as the IIS HTTPS binding has configured?
My dev IIS has a self signed certificate.
For the client certificate, I've created a CA and a Client certificate according to
the post here.
The CA is in my "Trusted Root Certification Authorities" of the local Computer.
The Client certificate is in my personal certificate folder.
On IIS I've set Client certificates to accept.
The first strange Thing is that when I browse to my page, the IE always shows me 403.7. Even I've disabled the IE setting "Don't prompt for client certificate selection...", there is no window opening for the certificate selection.
Also when accessing the page with a HttpWebRequest with Client cert attached, the response is always 403. Unfortunately there I did not figure out how to get the sub status.
Why doesn't IIS accept my Client certificate when the RootCA of the Client certificate is in the trusted root store?
Is there a way to get more details where the problem might be?
Thanks
Thomas
Finally could solve the issue:
The CA and Client certificates which I generated according to the tutorial here did NOT have the private key assigned in the certificate store. I had to remove the certificates from the cert store and Import the PFX file including the private key.
Second, the client certificate needs to be in the Current User/Personal store so IE does pick it up. I initallly generated it in the Current Computer/Personal store.
There might be a direct way how to create the two certificates including Private key with makecert. But the PFX import was the easiest way for me.
After 3 days of try and error on my side: If you use IIS10 on Windows2022, TLS1.3 is turned on by default.
The SSL handshake seems not to be implemented correctly in browsers/curls/.... for this case.
For testing reasons turn off TLS1.3
In
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.3\Server
Add:
DisabledByDefault as Dword with 1 and restart the server (not only IIS!)