Help and Support

Article ID: 297681 - Last Review: July 7, 2008 - Revision: 5.1

Error Message: This Security Certificate Was Issued by a Company that You Have Not Chosen to Trust

View products that this article applies to.
This article was previously published under Q297681
We strongly recommend that all users upgrade to Microsoft Internet Information Services (IIS) version 7.0 running on Microsoft Windows Server 2008. IIS 7.0 significantly increases Web infrastructure security. For more information about IIS security-related topics, visit the following Microsoft Web site:
http://www.microsoft.com/technet/security/prodtech/IIS.mspx (http://www.microsoft.com/technet/security/prodtech/IIS.mspx)
For more information about IIS 7.0, visit the following Microsoft Web site:
http://www.iis.net/default.aspx?tabid=1 (http://www.iis.net/default.aspx?tabid=1)
Expand all | Collapse all

SYMPTOMS

When you browse to a secure Web site, you may receive the following message:
This security certificate was issued by a company that you have not chosen to trust
Back to the top

CAUSE

The root certificate of the Certificate Authority (CA) that issued the Web site's certificate is not in the client browser's Trusted Root Certification Authority store. The message does not affect the establishment of a Secure Sockets Layer (SSL) session between the client and the server.
Back to the top

RESOLUTION

The steps below are used to install the root certificate into the client's browser. This eliminates the security message the next time you visit the site. Note that these steps will only work for Microsoft Internet Explorer browsers.

NOTE: The requirement to install the Certificate Authority Certificate only exists with non-trusted CAs, such as Microsoft Certificate Server.

  1. During the default installation of Certificate Server, a shared folder is generated to store the root certificate file. The default location of this folder is C:\Certconfig. In this folder, locate the root certificate file. The default naming standard is as follows:
    servername.domain.com_name_of_certificate_server.crt
    If you cannot find the root certificate file, search your hard drives for all files that end in .crt. Double-click each .crt file that is returned in the search and view its details to confirm that its serial number is the same as the serial number of the root certificate that issued your Web server certificate.

    To view the serial number of your Web site's root certificate, securely browse to your Web site (that is, use the https:// protocol) and double-click the padlock icon in the lower right corner of your browser. Click the Certification Path tab and double-click the top certificate. The serial number of this certificate should match the root certificate that your search returned.

  2. Export the root certificate (.crt) file to a Base64 root certificate (.cer) file. To do this, follow these steps:
    1. In Windows Explorer, double-click the root certificate file.
    2. Click the Details tab and select Copy to file to start the Certificate Manager Export Wizard.
    3. On the second screen of the wizard select Base64, and on the third screen provide a path and file name for the certificate.NOTE: This is the file that you use in the sample ASP code that is provided in this article.

    4. Click Next and then click Finish.
  3. Modify line 11 of the following code to point to the Base64 root certificate file that you created in step 2. 
    <HTML>
<HEAD>
<TITLE>Installing A Root Certificate</TITLE>
<BR>Root Certificate Authority Installation
<BR>
<BR>

<%@ LANGUAGE="VBScript"%>
<%
Set fs = CreateObject("Scripting.FileSystemObject")
Set MyFile = fs.OpenTextFile("c:\certificates\base64.cer", 1)

Output = ""

Do While MyFile.AtEndOfStream <> true
  line = Chr(34) & MyFile.ReadLine & Chr(34)
  If MyFile.AtEndOfStream <> true then
    line = line & " & _" & Chr(10)
  End If
  Output = Output & line
Loop

MyFile.Close

Set MyFile = Nothing
Set fs = Nothing
%>

<SCRIPT language="VBSCRIPT">
on error resume next
Dim Str, CEnroll

Set CEnroll = CreateObject("CEnroll.CEnroll.1")
Str = <% Response.Write Output %>

CEnroll.installPKCS7(Str)

Set CEnroll = Nothing
</SCRIPT>
</HEAD>
</HTML>
  4. Save the modified code as Rootinstall.asp to your Web site location. By default this is \Inetpub\Wwwroot.
  5. Browse to the Rootinstall.asp file from a client browser. If your root certificate is not already in the store, you are prompted to install it.
  6. Click OK. The certificate is automatically installed into the Trusted Root Store on the client browser.
For additional information, click the article numbers below to view the articles in the Microsoft Knowledge Base:
290625  (http://support.microsoft.com/kb/290625/EN-US/ ) HOWTO: IIS5: How to Configure SSL in a Windows 2000 IIS 5 Test Environment Using Certificate Server 2.0
216339  (http://support.microsoft.com/kb/216339/EN-US/ ) Using Secure Sockets Layer, Root Certifying Authority Certificates, and Iisca.exe
265847  (http://support.microsoft.com/kb/265847/EN-US/ ) Error Message: The Page Cannot Be Displayed . . . Cannot Find Server or DNS Error
Back to the top
APPLIES TO
  • Microsoft Internet Explorer 5.5 Service Pack 1
  • Microsoft Internet Explorer 5.01
  • Microsoft Internet Explorer 5.0
  • Microsoft Internet Explorer 4.01 Service Pack 1
  • Microsoft Internet Explorer 4.01 Service Pack 2
  • Microsoft Internet Explorer 4.0 128-Bit Edition
  • Microsoft Internet Information Server 4.0
  • Microsoft Internet Information Services 5.0
  • Microsoft Internet Information Services 6.0
  • Microsoft Internet Information Services 7.0
Back to the top
Keywords: 
kbpending kbprb KB297681
Back to the top

Get Help Now

Contact a support professional by E-mail, Online, or Phone

Article Translations