ERR_CERT_WEAK_SIGNATURE_ALGORITHM

ERR_CERT_WEAK_SIGNATURE_ALGORITHM KB ID 0001845

Problem

Error seen when attempting to open a web page that’s been secured by https with a certificate.

Your Connection isn’t private
Attackers might be trying to steal your information from {host-name} (for example, passwords , messages or credit cards)

Solution : ERR_CERT_WEAK_SIGNATURE_ALGORITHM

I had not seen this error for a while, and I was surprised I was seeing it now. It’s because the certificate that’s been used on the website is using SHA1 as its signature algorithm.

If you  have purchased this certificate you will need to get it reissued, but chances are this is a self-issued certificate form Certificate Services. If that is the case, you need to update your certificate services form SHA1 to SHA256.

For Complex (Multi-tier PKI Certificate Services)
Upgrade Your Microsoft PKI Environment to SHA2 (SHA256)

For most people (with a Stand-alone Enterprise Certificate Services CA Server

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

Related Articles, References, Credits, or External Links

ERR_CERT_COMMON_NAME_INVALID

SSL_ERROR_UNSUPPORTED_VERSION

PowerCLI: Connect-VIServer Certificate Errors

KB ID 0001603

Problem

When attempting to connect to a vCenter or ESXi host, you see the following error;

 

[box]

Connect-VIServer : {Date} {Time}  Connect-VIServer Error: Invalid server certificate. Use Set-PowerCLIConfiguration 
to set the value for the InvalidCertificateAction option to Prompt if you'd like to connect once or to add a 
permanent exception for this server.
Additional Information: Could not establish trust relationship for the SSL/TLS secure channel with authority
'{Server-Name}'.
At line:1 char:1
+ Connect-VIServer
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Connect-VIServer], ViSecurityNegotiationException
    + FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_CertificateError,VMware.VimAutomation.ViCore.
   Cmdlets.Commands.ConnectVIServer

[/box]

Solution

Well you can either ‘Sort out your certificates properly, or ‘Drag down the self signed certificate and install it‘, or simply execute the following command;

[box]

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

[/box]

Try again.

Related Articles, References, Credits, or External Links

NA

VMware: Server Certificate Subject Name Does Not Match

KB ID 0001504

Problem

If you replace the self signed certificate on your Horizon Connection servers, (so that they have a certificate with your ‘public’ address), you will see this error;

Status: Servers’s certificate subject name does not match the server’s External URL.
Server’s certificates is not trusted.

SSL Certificate: Invalid

Solution

At first I thought this was simply a DNS problem, and I needed to setup split DNS. But that’s not the case, you need to change the the connection servers name(s) to the public name(s) in the connection server properties in Horizon Administrator.

After a few minutes the error will disappear.

Related Articles, References, Credits, or External Links

NA

Active Directory Federation Services – Certificate Error ‘CNG Key’

KB ID 0001129

Problem

When installing the Active Directory Federation Services Role, you need to supply a certificate. I was running this up using a self signed wildcard certificate when this happened;

The certificate with the specified thumbprint {thumbprint} has a Cryptographic Next Generation (CNG) private key. The certificates with the CNG private key are not supported. Use a certificate based on a key pair generated by a legacy Cryptographic Service Provider.

Solution

I was generating a wildcard certificate using this method. By default it uses the CNG Key, you need to specify  Legacy Key instead, (I’ve updated the post mentioned above to point out where that’s done).

Related Articles, References, Credits, or External Links

NA

Event ID 6 and 13

KB ID 0000473 

Problem

Event ID 6

Source: Microsoft-Windows-CertificateServicesClient-AutoEnrollment

Description:

Automatic certificate enrollment for local system failed (0x800706ba) The RPC server is unavailable.

 

Event ID 13

Source: Microsoft-Windows-CertificateServicesClient-CertEnroll

Description:

Certificate enrollment for Local system failed to enroll for a DomainController certificate with request ID N/A from {hostname}{name of CA}(The RPC server is unavailable. 0x800706ba (WIN32: 1722)).

 

Solution

Note: The pertinent information in the Event ID 13 above is 0x800706ba there are Other causes of this Event ID make sure yours is the same.

In my case I had an Exchange server that was using a certificate that had been “self signed”. And the Root CA that signed the certificate had been ungracefully removed from the domain. Take a note of the Root CA name from the Event ID error shown arrowed).

1. Launch Active Directory Sites and Services” > Select the top level object > View > Show Services Node.

2. Expand Services > Public Key Services > AIA > Delete the “Problem CA”.

3. Then select “Enrollment Services” > Delete the “Problem CA”.

If you have a New CA (in this example you would have seen it in step 2), then DO NOT perform the next two steps!!!

4. Providing you DONT have a CA now, select “Certificate Templates” and delete them all.

5. Providing you DONT have a CA now, select “Public Key Services” and delete the NTAuthCertificates item.

6. To tidy up, (On the server logging the error) run the following command:

[box] certutil -dcinfo deleteBad [/box]

7. Finally on the server logging the error run the following command to update the policies:

[box] gpupdate /force [/box]

Related Articles, References, Credits, or External Links

NA

Exchange – ‘The certificate status could not be determined because the revocation check failed.’

KB ID 0000484 

Problem

Seen on Exchange (with or without service packs) when you access the internet through a proxy server. Note: Exchange does NOT take its proxy settings from Internet Explorer.

Solution

1. To prove that the proxy is the problem drop to command line and issue the following command:

[box]netsh winhttp show proxy[/box]

 

If it says “Direct Access (no proxy server)” and you have a proxy server then that’s your problem.

2. Issue the following command:

[box]netsh winhttp set proxy proxy-server=”http={proxy IP}:{port};https={proxy ip}:{port}” bypass-list=”*.YourDomain.com”[/box]

3. Note: If at this point it all goes wrong (If you get it wrong, then the Exchange Management Console wont open! test it to make sure). To revert back to “no proxy”, issue the following command:

[box]netsh winhttp set proxy proxy-server=”http={proxy IP}:{port};https={proxy ip}:{port}” bypass-list=”*.YourDomain.com”[/box]

You only do this if it’s broken something!!

4. All being well your certificates should now display correctly.

 

Related Articles, References, Credits, or External Links

NA