IE- There is a problem with this website's security certificate- Continue to this website (not recommended) does not work
Accidentally today some of my users while accessing a Exchange 2003 OWA from external systems were facing a unique issue. The users when clicking on the option of Continue to this website (not recommended) does not work were not being directed to the Exchange OWA website and nothing happened.
See a screenshot below for further understanding:
See a screenshot below for further understanding:
Cause:
Its caused due the following update: 2677070 An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.
What this update does is that it does not allow access to a website that is secured by using an RSA certificate that has a key length of less than 1024 bits.
Resolution:
Run the following command from an elevated command prompt:
certutil -setreg chain\EnableWeakSignatureFlags 8
What is EnableWeakSignatureFlags ??
The EnableWeakSignatureFlags DWORD value has three potential values: 2, 4, 6, and 8. These settings change the behavior of how the keys under 1024 bits detection and blocking works. The settings are described in the following table:Decimal value | Description |
2 | When enabled, the root certificate (during chain building) is allowed to have an RSA certificate with a key length of less than 1024 bits. Blocking of RSA certificates lower in the chain (if they have less than 1024 bit keys) is still in effect. The flag enabled when this value is set is as CERT_CHAIN_ENABLE_WEAK_RSA_ROOT_FLAG. |
4 | Enables logging, but still enforces blocking of RSA certificates with keys less than 1024 bits. When it is enabled, the WeakSignatureLogDir is required. All keys with less than 1024 bit length encountered are copied to the physical WeakSignatureLogDir folder. The flag enabled when this value is set asCERT_CHAIN_ENABLE_WEAK_LOGGING_FLAG. |
6 | When it is enabled, the root certificate is allowed to have an RSA certificate with a key less than 1024 bits and the WeakSignatureLogDir is required. All keys below the root certificate that have keys of less than 1024 bits are blocked and logged to the folder that is specified as the WeakSignatureLogDir. |
8 | Enables logging and does not enforce blocking of keys that have a length of less than 1024 bits. When it is enabled, the WeakSignatureLogDir is required. All keys encountered that have a length of less than 1024 bits are copied to the physical WeakSignatureLogDir folder. The flag enabled when this value is set is asCERT_CHAIN_ENABLE_ONLY_WEAK_LOGGING_FLAG. |
For More Info:
Microsoft sucks -- this is happening to me on a server trying to access iLO -- you've got to be kidding!
ReplyDeleteThanks for sharing, if you could set your blog properly it looks very professorial.
ReplyDeleteClick here to know more about our services
Web Hosting India | Domain Name Registration India | Web Hosting Companies in India