Ok, so I want your opinion on this...
I have this brand new Windows Server 2012 R2 with all the latest updates.
When I use IE or Chrome and visits www.flashback.org, I get warnings about certificate errors.
Please look at what Chrome is telling me:
http://i.imgur.com/3QsNc9p.png?1
Now, I raised the issue on the flashback forums. Everyone just said the problem in on my end.
So...
where exactly lies the problem? On the server, or on my client?
(I don't want to add exception and just ignore the security problem)
Please don't answer unless you have a pretty good idea what the problem is.
The issue is on your side (client). Du to some unknown reasons GoDaddy root certificate (Go Daddy Class 2 Certification Authority) is not installed on your machine's Trusted Root CAs container.
By default, Windows trusts this CA. It is listed in the active authrootstl.cab file.
This may indicate that someone deleted this certificate from certificate store.
Related
I've been working on an old secure website on my local machine's IIS on occasion. It's probably been a couple weeks since the last time. However, now all of a sudden IIS seems to have a problem with it. I can't even get to the root page. Chrome reports a general failure. Edge is more informative with:
This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner.
Well, I'm the website owner and I have no clue what might have happened. It works fine in production, but the local development version suddenly just doesn't work. So far I haven't found anything useful on Google. Is there a common checklist for troubleshooting these issues?
Security certificate under bindings was set to "Development" originally, but that vanished. Reset it and good to go again!
I'm currently developing a web application running locally on IIS 10 with coldfusion 9.
I have a problem right now, caused by SSL I think. Since it's a backoffice, it has to be https, so I used our company certificate to install it locally on my computer and I linked it to the website I'm developing. The problem is whenever I use the https connection, all the pages are loaded twice (it isn't visible, but for instance when I submit a form, the data are inserted twice in the database).
I manage, with luck, to solve this issue by changing the SSL parameters "client certificates" from ignore to accept but when I do that, from time to time (like 1 out of 3) the page that I want to load takes forever (like 30s) and as I can see, uses 100% of the CPU.
It doesn't come from my code (I think) because when I navigate with http, I have none of the problem listed above.
Does anyone have an idea with this is happening and how to solve it ?
Thanks in advance ! If you need any further information, ask and I'll try to give it to you !
I've now installed Coldfusion 11 and with that the issue is not happening anymore. So I'm pretty sure it's a compatibility answer.
Hi Im working on a system where the user can store important information on a website.
Using Ws2012, and IIS8
Im using EFS to encrypt the data in normal files.
It need to be secure from the Admin on the server. (at least make it difficult to get the information)
The files need to be en/decryptet in-flight.
It's actually working fine. Just by setting the folder as EFS and then the files saved by IIS are encryptet and the Admin cant get the content.
So far so good.
Problem: But if the IIS is reinstalled, or the server needs to be rebuild/reinstalled then the files are not avalible for the "new" IIS, as the certificate is different.
Normally I can login as a user and backup the EFS certificte, but how do i do this with IIS.
The idea is to have only one Admin (super trusted) to export the certificate and keep it safe. So all the "normal" admins cant get to it.
So after a rebuild of the server the certificate can be reinstalled and the new IIS can access the files Again.
I have looked at several ways to get the certificate, but all explanations / examples uses a local logged in user, and not a "service" user like the IIS uses.
There could be 2 ways:
One is when creating the site, a certificate would be installed for the IIS to use. This way export is not nessesery, and all sites uses the same certificate. But How?
Second way is to export the certificate the IIS uses, but How?
Hopefully this is a simple task, i just can't find it.
Regards
Jesper
I have thwte certificate to sign my InstallShield setup. When we updated our certificate this year, it now depends on intermediate certificate "thawte code signing ca - g2".
We fear that many of our customers might not have this intermediate root certificate installed (in fact our own build server did not have it and so build had started to fail after renewing the certificate) and thus they will get the "unverified publisher" error.
What is the best practice to distribute that intermediate certificate? Is there any way to change the certification path so that it just depends on more common "thawte code signing ca"?
I would greatly appreciate any help.
Thanks,
Sanjay
I finally figured out the issue. It turns out there is an option to include certificate roots in the pfx file when you export it. Following is what i followed on my Windows machine where I had installed the certificate that i got from thawte.
1. Open certificate store from Start->Run->certmgr.msc
2. Export the certificate.
3. Ensure to select to include private key as well.
4. Then you get an option to include root certificates - this is unchecked by default. Check it.
Micrsoft has a trusted root program that current contains the following memebers:
Windows Root Certificate Program - Members List (All CAs)
For applications distributed to the general public, the best practice is to get a code signing certificate backed up by one of these roots. For internal enterprise applications ( IT, DoD ectera ) you can use others provided that you have a means in place of distributing the roots for your cert. InstallShield cannot currently do this directly but it's possible using custom actions that call CAPI / CAPICOM / .NET X509 classes.
BTW, when you look at the certificate details, look all the way up to the first entry to know who the root is. For example my cert says COMODO Code Signing 2 but then above that it says USERTrust. When I view the USERTrust certificate is says "UTN-UserFirst-Object". That name is then found on the Microsoft web page linked above.
I have created a Midelt which accesses phone contact details [read and write contacts] and access network, this application is working fine S60 emulator.
When I try to install in Nokia E71, it is giving certification error.
I have created certificate using below link. When I try to install it in the phone still I am getting the certification error.
http://www.j2start.com/
Can anybody suggest, is there any way to test a midlet in actual Nokia e71 device without certificate from CA?
If certificate is mandatory,
which is the most suitable CA [Verisign or Thawte ] for Nokia E71?
It was stated in that page (where you signed your app) that the validity of the certificate is between Sept 1, 2010 to Sept 17, 2011. You need to set your device's date to any date between the validity period.
If the same error persists, try to check the certificates in the jad and check if the same certificate is in the phone.
Find JadTool.jar in your machine. You may find it in the Java SDK installation directory or WTK installation directory. If you can't find it then simply download it from the internet. For simplicity, put it in (root directory) C: (I'm assuming you're using Windows, if not then tell me later ;)).
Copy your signed jad file in C. (I want you to have both files, JadTool.jar and your app's jad file, in one directory, preferably C, as a prerequisite of the next steps :D)
Open terminal/command prompt. Go to C; type cd \ (Again, I'm assuming you're on Windows.)
Still on the terminal, type java -jar JadTool.jar -showcert -all -inputjad YourAppName.jad. Mind the case of the letters.
On the previous step, you can see which certificates are available in your jad file. You can see the details of each certificate. Let's focus on the fingerprints. If, for example, you see a Thawte certificate, take note of its SHA fingerprint.
Check the certificates in your device. The certificates are usually found in Security under Settings. If you have a Thawte certificate in the jad then you must check the Thawte certificates in the device. Compare the Thawte SHA fingerprint found in the jad against the Thawte fingerprint of the device. If they match then the app with this certificate is install-able on the device. If they don't match then it is more likely that you cannot use this certificate with your jad file.
Do steps 6 and 7 for the rest of the certificates. If you can't find any pair
then, with the signing, it is more likely that you cannot install your app on your device.
By the way, you can still install your app on the device even if it is unsigned. One problem, if your app is unsigned, is that the user will be be bugged with security prompts. However, this can also be minimized. See my answer on how to minimize these prompts.
This could be the problem becase your either your certificate is old or just check the date on your phone. Your Phone might be running old date.