IE- There is a problem with this website's security certificate- Continue to this website (not recommended) does not work

Accidentally today some of my users while accessing a Exchange 2003 OWA from external systems were facing a unique issue. The users when clicking on the option of Continue to this website (not recommended) does not work  were not being directed to the Exchange OWA website and nothing happened.
See a screenshot below for further understanding:


Cause: 
Its caused due the following update: 2677070 An automatic updater of revoked certificates is available for Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.

What this update does is that it does not allow access to a website that is secured by using an RSA certificate that has a key length of less than 1024 bits.

Resolution:

Run the following command from an elevated command prompt:
certutil -setreg chain\EnableWeakSignatureFlags 8


What is EnableWeakSignatureFlags ??

The EnableWeakSignatureFlags DWORD value has three potential values: 2, 4, 6, and 8. These settings change the behavior of how the keys under 1024 bits detection and blocking works. The settings are described in the following table:
Decimal valueDescription
2When enabled, the root certificate (during chain building) is allowed to have an RSA certificate with a key length of less than 1024 bits. Blocking of RSA certificates lower in the chain (if they have less than 1024 bit keys) is still in effect. The flag enabled when this value is set is as CERT_CHAIN_ENABLE_WEAK_RSA_ROOT_FLAG.
4Enables logging, but still enforces blocking of RSA certificates with keys less than 1024 bits. When it is enabled, the WeakSignatureLogDir is required. All keys with less than 1024 bit length encountered are copied to the physical WeakSignatureLogDir folder. The flag enabled when this value is set asCERT_CHAIN_ENABLE_WEAK_LOGGING_FLAG.
6When it is enabled, the root certificate is allowed to have an RSA certificate with a key less than 1024 bits and the WeakSignatureLogDir is required. All keys below the root certificate that have keys of less than 1024 bits are blocked and logged to the folder that is specified as the WeakSignatureLogDir.
8Enables logging and does not enforce blocking of keys that have a length of less than 1024 bits. When it is enabled, the WeakSignatureLogDir is required. All keys encountered that have a length of less than 1024 bits are copied to the physical WeakSignatureLogDir folder. The flag enabled when this value is set is asCERT_CHAIN_ENABLE_ONLY_WEAK_LOGGING_FLAG.




For More Info:


Comments

  1. Microsoft sucks -- this is happening to me on a server trying to access iLO -- you've got to be kidding!

    ReplyDelete
  2. Thanks for sharing, if you could set your blog properly it looks very professorial.
    Click here to know more about our services

    Web Hosting India | Domain Name Registration India | Web Hosting Companies in India

    ReplyDelete

Post a Comment