Select the product you need help with
- Internet Explorer
- Windows Phone
- More products
Update VeriSign Web Server Certificates Now for IIS: An expired VeriSign intermediate certificate can result in non-validated connections to sites using SSL
Article ID: 834438 - View products that this article applies to.
The previous VeriSign 128-bit International (Global) Server Intermediate certification authority certificate expired on January 7, 2004. This may cause problems for clients that try to establish server-authenticated secure socket layer (SSL) connections with Web servers and other SSL/Transport Layer Security (TLS)-enabled applications that do not have up-to-date certificates.
To prevent these problems, Microsoft Internet Information Services (IIS) operators should contact VeriSign to update the intermediate certification authority certificates for servers that use 128-bit SSL to connect to Web sites with the Secure Hypertext Transfer Protocol.
ImpactClients cannot establish SSL-protected connections to Web servers that do not have updated certificates.
RecommendationInstall the updated version of the VeriSign intermediate certificate.
Technical descriptionVeriSign maintains many certificates and certificate revocation lists (CRLs) that are expiring or that have expired. This is not uncommon. Typically, certificates and CRLs are short-lived by design. However, certificates are sometimes re-issued to give them a longer life span. This is generally not a problem, but it can create issues with servers that use secure socket layer (SSL) to help protect sessions that connect to their resources.
If a server operator installs an SSL certificate from VeriSign, together with the relevant issuing certification authority certificates, and then the server operator later renews the SSL certificate through VeriSign, the server operator must make sure that the intermediate issuing certificates are updated at the same time.
If you want to install the updated certificates, visit the following VeriSign Web site for the latest versions of these certificates and for the steps to install them:
Additional informationThe validation of an X.509 certificate involves several phases. These phases include path discovery and path validation.
Path discovery is the process of determining if a certificate was issued by a valid entity. You can use many techniques to do this, including the following:
Frequently asked questionsIs this a security vulnerability?
No. This is not a security vulnerability in any one of the affected products. The problem results only because of the expiration of a third party’s digital certificate.
What’s the scope of the problem?
Recently, VeriSign, Inc., a major certification authority, renewed their “VeriSign International Server CA - Class 3” certification authority with certificates that have a longer validity period. If Web server operators renewed their SSL certificates after this renewal, their customers may experience problems when they try to validate that their Web servers are actually associated with their organizations.
How is the issue resolved?
You can resolve this issue by manually updating the intermediate certification authority (CA) certificate on each Web server. To obtain this certificate, visit the following VeriSign Web site:
https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=S:SO7094If this is a server issue, why do clients experience the problem?
The problem occurs when a client tries to establish a security-enhanced connection to a Web server. As a part of the process of establishing the connection, the server passes many certificates back to the client. The client uses these certificates to validate the server's certificate. In this case, one of the intermediate certificate authorities (the “VeriSign International Server CA - Class 3” CA) has expired. This intermediate certificate is not valid. Therefore, the browser displays a warning message to the user that explains that a security-enhanced connection could not be established.
Are Microsoft certificates involved?
No. These certificates are issued and are owned by VeriSign, Inc. VeriSign participates in a program that is maintained by Microsoft. In this program, third-party trust providers can help secure Internet commerce for Microsoft customers. For more information about this program, visit the following Microsoft Web site:
http://technet.microsoft.com/en-us/library/cc751157.aspxWhat certificate authorities participate in the Microsoft Root Program?
For a list of the current trusted third parties that have qualified for the Microsoft Root Program, visit the following Microsoft Web site:
http://msdn2.microsoft.com/en-us/library/ms995347.aspxDoes Microsoft still update the certificates that Microsoft Internet Explorer uses?
Yes. As a part of the Microsoft Root Program, the list of trusted root authorities can be updated quarterly. For users of Microsoft Windows XP and Microsoft Windows Server 2003, this update occurs in the chain validation engine when it is presented with a certificate that it does not trust. When this behavior occurs, Windows Update is contacted to verify whether the certificate has been added to the Root Program. On pre-Windows XP clients, a recommended package is published to Windows Update for manual download. Microsoft recommends that enterprises make their own decisions about which trusted third parties they want users in their enterprises to trust.
Note Updates that the Microsoft Root Program provides will not address the issues that VeriSign Intermediate Certificate Expiration raises.
To resolve this issue, update the intermediate CA certificate store on each of your servers to the latest version of the VeriSign International Server Intermediate CA.
For more information about how CryptoAPI builds certificate chains and validates revocation status, visit the following Microsoft Web site:
SupportFor a complete list of Microsoft Product Support Services phone numbers and information about support costs, visit the following Microsoft Web site:
http://support.microsoft.com/default.aspx?scid=fh;[LN];CNTACTMSNote In special cases, charges that are ordinarily incurred for support calls may be canceled if a Microsoft Support Professional determines that a specific update will resolve your problem. The usual support costs will apply to additional support questions and issues that do not qualify for the specific update in question.
Security resourcesFor more information about security in Microsoft products, visit the following Microsoft TechNet Web site:
DisclaimerThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.