Article ID: 260266 - View products that this article applies to.
This article was previously published under Q260266
This article has been archived. It is offered "as is" and will no longer be updated.
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) 6.0 running on Microsoft Windows Server 2003. IIS 6.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
You may not be able to gain access to Web pages after upgrading a 40-bit Secure Sockets Layer (SSL) certificate to a 128-bit SSL certificate (VeriSign). When you attempt to connect with a Netscape 40-bit browser, the following error message is displayed and no connection is made:
The security library has experienced an error. You will probably be unable to connect to this site securely.
The 128-bit VeriSign certificate is a Server Gated Cryptography (SGC) certificate; it causes secure connections between Netscape clients and Microsoft Internet Information Services (IIS) servers not to work. When the SGC renegotiation is performed, handshaking does not succeed.
To resolve this problem, obtain the latest service pack for Windows 2000. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/260910/ )How to obtain the latest Windows 2000 service pack
Instructions for InstallationAfter you apply the hotfix and restart your computer, run the following command to provide 128-bit high encryption non-export support:
%systemroot%\system32\export\encinstWhen you run this command, the command prompt returns with no message displayed. After you restart your computer, the hotfixes for Crypt32.dll and Schannel.dll are installed.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed at the beginning of this article.
This problem was first corrected in Windows 2000 Service Pack 1.
For additional information about how to install Windows 2000 and Windows 2000 hotfixes at the same time, click the article number below to view the article in the Microsoft Knowledge Base:
249149The best way to determine if a certificate is an SGC certificate is to view the certificate by using the Certificates tool. In the Details pane, if the Enhanced Key Usages line contains one or both of the following entries, the certificate is SGC-enabled:
(http://support.microsoft.com/kb/249149/EN-US/ )Installing Microsoft Windows 2000 and Windows 2000 Hotfixes
Unknown Key Usage(2.16.840.1.113730.4.1)
Unknown Key Usage(220.127.116.11.4.1.318.104.22.168)