Posted by Krrmt 2020-02-26T15:33:08Z
I can not access a websites only in one computer with the error
«this ca root certificate is not trusted because it is not in the trusted root certification authorities store»
- 2 Replies
- This site can’t provide a secure connection
- Read these next.
- Snap! — Ingenuity Calls Home, Swatting Database, Faster Fiber, Flying Cars
- Spark! Pro Series — 3rd July 2023
- Nerd Journey # 222 — A Closer Look at John’s Recent Interview Process
- What do Database Administrators / IT People DO all day?
- SpiceQuest July (2023) — Of Space and Simplicity
- Sign in
- Create an account or sign in to comment
2 Replies
To continue this discussion, please ask a new question.
I was able to renew a self signing certificate on Exchange 2007 using the console, but I cannot make it trusted. The Exchange box is part of a domain, but the DC doesn’t have SSL enabled so I’m working on the exchange box only. How do I add this cert to the trusted root cert authorities store?
SSL / HTTPS
8/22/2022 — Mon
Suliman Abu Kharroub
I need to add the cert to the trusted root CA on the exchange server itself, not a workstation. I renewed the cert using the Exchange Management Shell on the Exchange box via «Get-ExchangeCertificate -thumbprint «xxx» New-Exchangecertificate». I’m getting the «install this certificate in the trusted root certification authorities store» in the IIS Manager — Default Web Site Properties — View Certificate.
Diregard the previous link. It wasn’t what I thought — sorry.
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a
7-Day free trial
and enjoy unlimited access to the platform.
Thanks Shmoid! your sugestion fix it.
What happens if I run that command and I get prompted to insert a smartcard?..
Thank you so much Shmoid! You just saved my hide.
I faced a similar issue with Comodo certificates recently when developing a script using Ruby. In the end it was that OpenSSL did not have it in the store, even though it looked like it did.
To test this, download all of the Comodo intermediate certs and create a cert bundle something like this (you’ll need to use different cert names depending on what you downloaded):
cat EssentialSSLCA_2.crt ComodoUTNSGCCA.crt UTNAddTrustSGCCA.crt AddTrustExternalCARoot.crt > yourDomain.ca-bundleComodo has an article on how to do this.
Once done, try verifying the certificate again using OpenSSL and specifying the cert store on the command line:
openssl verify -untrusted yourDomain.ca-bundle cert.pemThat example was adapted from this Unix and Linux StackExchange article.
Once you’ve determined which certificate it is, it should be possible to add the certificate to the local cert store, which is detailed here for Ubuntu, and is something like:
sudo mkdir /usr/share/ca-certificates/extraCopy the ‘.crt’ file to the directory
sudo cp foo.crt /usr/share/ca-certificates/extra/foo.crtsudo dpkg-reconfigure ca-certificatesI am dealing with big problem on multiple workstations in our company. Many Windows 7 computers and one Windows XP computer have all Root CA certificates not trusted so I cannot import new certificate generate by Certification Authority in our Country.
I noticed this problem recently and after two days on google I couldn’t find solution to this.
If I open mmc and select Certificates — > Computer -> Trusted Root Certification Authorities I see all certs on computer but after I check any they show this in General info about Cert:
This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.
This root certificate appears to be trusted by the remote computer. To ensure this root certificate is valid on the remote computer, verify this root certificate on that computer.
We push only Critical and Security Updates from our wsus server. Affected computers have installed all updates.
We have firewall and don’t allow full access to internet but I tried to give one computer with this issue full access to internet and reboot couple times but that didn’t help.
Screenshots: http://imgur.com/a/HCGWo Opens a new window
#! /bin/bash
set -e
base_folder="$HOME/.acme-development-certs"
start_dir=$PWD
if test -f "$base_folder/leaf_cert/acme.pem"; then echo "ACME development certs already created: skipping CA and cert creation." exit 0
fi
mkdir -p $base_folder
cd $base_folder
# create root cert
mkdir -p root_ca/certs root_ca/crl root_ca/newcerts root_ca/private
echo 1000 > root_ca/serial
touch root_ca/index.txt root_ca/index.txt.attr
echo '
[ ca ]
default_ca = CA_default
[ CA_default ]
dir = root_ca # Where everything is kept
certs = $dir/certs # Where the issued certs are kept
crl_dir = $dir/crl # Where the issued crl are kept
database = $dir/index.txt # database index file.
new_certs_dir = $dir/newcerts # default place for new certs.
certificate = $dir/cacert.pem # The CA certificate
serial = $dir/serial # The current serial number
private_key = $dir/private/ca.key # The private key
nameopt = default_ca
certopt = default_ca
policy = policy_match
default_days = 3650
default_md = sha512
copy_extensions = copy
[ policy_match ]
countryName = optional
stateOrProvinceName = optional
organizationName = optional
organizationalUnitName = optional
commonName = supplied
emailAddress = optional
[req]
utf8 = yes
string_mask = utf8only
x509_extensions = v3_req
distinguished_name = req_distinguished_name
prompt = no
[req_distinguished_name]
CN = ACME Development Root CA
O = ACME
OU = ACME Engineering
[v3_req]
basicConstraints = critical,CA:TRUE
keyUsage = critical,keyCertSign,cRLSign
subjectKeyIdentifier = hash
' > root_ca/openssl.conf
openssl genrsa -out root_ca/private/ca.key 2048
openssl req -config root_ca/openssl.conf -new -x509 -days 3650 -key root_ca/private/ca.key -sha256 -extensions v3_req -out root_ca/certs/ca.crt
openssl x509 -in root_ca/certs/ca.crt -out root_ca/certs/ca.pem -outform PEM
# create leaf cert
mkdir leaf_cert
echo '
[ req ]Development
default_bits = 2048
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
CN = ACME
O = ACME
OU = ACME Engineering
[ req_ext ]
basicConstraints = CA:FALSE
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = acme.com
DNS.2 = *.acme.com
DNS.3 = *.sub.acme.com
DNS.4 = acme2.com
DNS.5 = *.acme2.com
DNS.6 = *.sub.acme2.com
' > leaf_cert/openssl.conf
openssl req -new -keyout leaf_cert/acme.key -out leaf_cert/acme.csr -days 3650 -nodes -newkey rsa:2048 -config leaf_cert/openssl.conf
openssl ca -batch -config root_ca/openssl.conf -keyfile root_ca/private/ca.key -cert root_ca/certs/ca.crt -out leaf_cert/acme.crt -infiles leaf_cert/acme.csr
openssl x509 -in leaf_cert/acme.crt -out leaf_cert/acme-leaf.pem -outform PEM
cat leaf_cert/acme-leaf.pem root_ca/certs/ca.pem > leaf_cert/acme.pem
# trust new CA at the OS level
sudo security add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain $base_folder/root_ca/certs/ca.pem
# serve HTTPS using the new cert
NGINX_PATH="/usr/local/etc/nginx"
cp leaf_cert/acme.pem $NGINX_PATH/star_acme_com.pem
cp leaf_cert/acme.key $NGINX_PATH/star_acme_com.key
sudo brew services restart nginxI tried various combinations of parameters for the two .cfg and I also tried to add the cert manually to the keychain but nothing to do:
Chrome rejects it with:
This site can’t provide a secure connection
sub.acme.com doesn’t adhere to security standards.
- Safari and curl are fine with the certificate. Firefox has it’s own list of CAs and is okay after I add the root CA
.pemto the Authorities section of it’s internal list. - Nginx is configured to use the cert
$NGINX_PATH/star_acme_com.keyand it’s probably not the issue as it works perfectly with a paid one. - In Chrome dev tools, in the security tabs, it displays
Certificate - valid and trusted
Output of openssl x509 -noout -text -in <cert>
- for the cert
Certificate: Data: Version: 1 (0x0) Serial Number: 4096 (0x1000) Signature Algorithm: sha512WithRSAEncryption Issuer: CN=ACME Development Root CA, O=ACME, OU=ACME Engineering Validity Not Before: Jun 7 10:16:14 2019 GMT Not After : Jun 4 10:16:14 2029 GMT Subject: O=ACME, OU=ACME Engineering, CN=ACME Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: *** Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE X509v3 Key Usage: Digital Signature, Non Repudiation, Key Encipherment X509v3 Subject Alternative Name: DNS:acme.com, DNS:*.acme.com, DNS:*.sub.acme.com, DNS:acme2.com, DNS:*.acme2.com, DNS:*.sub.acme2.com Signature Algorithm: sha512WithRSAEncryption ***- for the root CA
Certificate: Data: Version: 3 (0x2) Serial Number: 11358523417566447898 (0x9da194de4501091a) Signature Algorithm: sha256WithRSAEncryption Issuer: CN=ACME Development Root CA, O=ACME, OU=ACME Engineering Validity Not Before: Jun 7 10:16:13 2019 GMT Not After : Jun 4 10:16:13 2029 GMT Subject: CN=ACME Development Root CA, O=ACME, OU=ACME Engineering Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: *** Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE X509v3 Key Usage: critical Certificate Sign, CRL Sign X509v3 Subject Key Identifier: 1F:50:BB:C9:85:C4:DB:71:46:E3:0E:B4:B5:48:B4:CF:10:C2:27:54 Signature Algorithm: sha256WithRSAEncryption ***Read these next.
Snap! — Ingenuity Calls Home, Swatting Database, Faster Fiber, Flying Cars
Spark! Pro Series — 3rd July 2023
Nerd Journey # 222 — A Closer Look at John’s Recent Interview Process
Best Practices & General IT
What do Database Administrators / IT People DO all day?
SpiceQuest July (2023) — Of Space and Simplicity
Sign in
Already have an account? Sign in here.
Sign In Now
Create an account or sign in to comment
You need to be a member in order to leave a comment
