When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error.
In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication
Solution
The correct fix is to set the web server (IIS) to serve the certificate website securely using https, though you can just set Internet explorer to ‘work’ from your client machine if you are in a hurry.
Make Internet Explorer Accept Your Certification Authority
Note: This would need to be done on every machine that you wanted to access the Certificate Services web portal from.
1. From within Internet Explorer > Internet Options > Security > Trusted Sites > Sites.
2. Untick ‘Require server verification (https:) for all sites in this zone’ > Then add in the URL of the CA > Close.
3. With Trusted sites still selected > Custom level > ‘Initialize and script ActiveX controls not marked as safe for scripting’ > Enable > OK > Yes.
4. Restart the browser and try again.
Set IIS to serve Certificate Services Securely (via https).
This assumes you have your CA and the web portal installed correctly.
1. On the Certificate Services Server > Launch IIS Manager > Expand {server-name} > Sites > Default Web Site > Right Click > Edit Bindings > https > Edit > Select the self signed server certificate [NOT the CA ONE] > OK.
Note: If https is missing simply add it!
2. Expand Default Web Site > Certsrv > SSL Settings.
3. Tick ‘Require SSL’ > Apply.
4. That should be all you need, if it does not take effect straight away then drop to command line and run iisreset /noforce.
Related Articles, References, Credits, or External Links
I’ve been trying to deploy a Fortigate into EVE-NG (article to follow) this week. I could get the appliance running fine but when I tried to access the web management console all I got was the following.
Note: I have a couple of management VMs in EVE-G (Windows 7 and Server 2012), they had a mixture of IE, Chrome and Firefox on them but still I could not get in?
Solution
All forums yielded no more info other than ‘Check you have allowed access for http“. But as you can see (above) for Fortinet Logo is on the windows I was hitting the firewall and http was allowed? (Also the http daemon was running inside the appliance.
Just for fun I connected the outside interface to my test network, allowed http, and tried from there, it worked perfectly? So I deployed another Fortigate and connected the ‘inside’ interface to my test network, again it worked fine? At this point it was becoming obvious that my management machines browsers were probably the problem. Is I deployed a new Kali Linux VM fired up Firefox and;
That took a LOT longer than it needed to!
Related Articles, References, Credits, or External Links
I’d just installed a new vCenter and Platform Services Controller for a client this week. When I tried to access the web consoles I saw this.
Content was blocked because it was not signed by a valid security certificate
For information see “About Certificate Errors” in Internet Explorer Help.
No amount of allowing certificates without revocation, and tinkering with the registry would let me in?
Solution
I cant believe how annoyingly simple it was to solve in the end! Go the the end of the URL and remove ‘/?csp’, problem solved
Related Articles, References, Credits, or External Links
Chrome is my browser of choice, so I don’t look at my website with IE often. (Yes I know that’s bad practice for a webmaster). So I was surprised when I opened my home page and saw this.
If you have a lot of them this is quite time consuming, but you can add the attribute of border and set it to zero within the IMG section of your hyperlink like so;
Option 2: Edit your CSS
This would be the preferred option, because you make one change and it will effect all your images. Simply add the following commands to your CSS.
Fixed!
Related Articles, References, Credits, or External Links
On a home PC, the welcome screen is not so bad, but in a corporate environment where users move round a lot, this popping up every time you log onto a new machine can get quite annoying.
Solution
You have two options,
Option 1: The simplest way in a domain is to disable it via group policy. You can find the relevant group policy at Computer Configuration > Administrative Templates > Windows Components > Internet Explorer > Prevent performance of First Run Customize Settings.
Set to “Enabled”, then set what you want the browser to do > Apply >OK.
Option 2: You can do this via registry key as well (on a user by user basis). Simply save the following as remove-welcome.reg and run it on the machine in question.
While browsing to a website with an https:// address you may come across the following error;
There is a problem with this website’s security certificate.
The security certificate presented by this website was not issued by a trusted certificate authority
and/or
The security certificate presented by this website was issued for a different website address.
Security certificate problems may indicate an attempt to fool you or intercept data you send to the server.
We recommend that you close this webpage and do not continue to this Web site.
Solution
Before you proceed: Most of the time, if you see this error a LOT, the date and time are probably set incorrectly on your computer.
This may look like a very scary error and the default action, (from the little green tick option) is NOT to proceed. But let’s look at this error sensibly. If you are on a website and you have your credit card out ready to buy something, STOP! Or you are about to enter some personal details into something then again STOP!
However if you are going to a website that your IT department has told you to go to for something (email access, or a corporate website, etc) then click the RED option, Continue to this website (not recommended).
Why are you seeing this error?
Well it’s to do with the digital certificate this website is presenting to your browser. If you ever shopped online you may have been told to look for the small padlock to make sure the site is secure.
That’s because that website is presenting you with a certificate and you ‘TRUST’ that certificate. If there was a problem with the certificate, and you didn’t trust it you would be presented with the error above.
OK So What Is a Certificate?
As far as web browsing is concerned a Digital Certificate does two things;
1. Encryption: It makes sure the information exchanged between your browser, and the server you are talking to is encrypted. This will happen if you trust the certificate or not.
2. Identity: It is used to prove, that the server you are talking to is who they say they are.
The error you are seeing is related to Identity, this DOES NOT necessarily mean the site is a fake, (but if your unsure let’s tread carefully). On the original error above it’s telling us two things;
The security certificate presented by this website was not issued by a trusted certificate authority
This means your computer does not trust the CA (Certification Authority) that created and issued this certificate. Anyone can setup a CA, (have a search on this site I’ve set them up for Exchange Email server VPNs and a ton of other reasons). These certificates are usually referred to as ‘Self Signed’. So if I (or anyone else) sets up a CA, and issues a certificate your browser will not trust it. Without a lengthy and boring description of how PKI works, you trust every CA that you have a ‘Trusted CA Root Certificate’ for. Once you have this you will trust every certificate issued by that CA.
To prove it let’s inspect the PayPal example above, and take a look at the certificate it’s presenting.
This certificate is trusted because;
1. Issued to: This name MUST match the URL you typed in the browser.*
2. Issued By: The people who signed and issued it, we trust (VeriSign).
3. Valid From: It is in date, (certificates expire). So if the date and time are very wrong on your computer, you will see loads of these errors!
*Note: It is possible to add more names to a certificate in another section called Subject Alternative Name (SAN), but these are NOT generally used for web sites.
So Who Do We Trust?
Your PC comes ‘pre-loaded’ with a bunch of trusted CA certificates, which get updated and renewed periodically. If you want to see them do the following;
Note: You need to be a computer administrator to do this. If you are NOT, then in IE Tools > Internet Options > Content > Certificates > Trusted Root Certification Authorities. You will see the same thing.
3. Computer Account > Next > Local Computer > Finish > OK.
4. Expand Certificates (Local Computer) > Trusted Root Certificates > Certificates > Down near the bottom you while see the VeriSign CA certificates that you trust.
To Summarise, The PayPal website works (without an error) because;
After spinning up a new Windows 2012 R2 Server this week, I needed to get some hot-fixes and updates, and I was greeted by this annoying IE ‘Security Alert’.
I appreciate that normally you would not be downloading files on a server, but a lot of us do need to download and install software and unless you have Internet access elsewhere you will be stuck.
Solution
1. Chances are you will be on a URL that is in the ‘Internet Zone’, (though that’s not always the case), right click on any area of the web page you are trying to download from and select properties > and check the Zone you are in it will say Internet, Local Intranet, Trusted or Restricted Sites. Make a note!
Note: If it says ‘Restricted Sites’ make sure you are trying to download something legitimate and not something potentially nasty!
2. From within IE > Open the tools Menu (the little cog icon) > Internet Options > Select the appropriate Zone, (you noted earlier) > Custom Level.
3. Scroll all the way down to ‘Downloads’ > File Downloads > Enable > OK.
4. Restart the browser and try again.
Related Articles, References, Credits, or External Links
Seen (usually on a server) when trying to connect to either Outlook Web App, or The Exchange Admin Center.
To use Microsoft Outlook Web App, browser settings must allow scripts to run. For information about how to allow scripts, consult the Help for your browser. If your browser doesn’t support scripts, you can download Microsoft Internet Explorer for access to Outlook Web App.
Solution
You have two options, the first is more sensible (and more secure) so that would be my preference.
Option 1
1. From Internet Explorer Options > Security > Trusted Sites > Add the URL of OWA or ECP > Close > Apply > OK.
Option 2
1. From Internet Explorer Options > Security > Internet > Custom Level > Allow Scriptlets > Enable > OK > Apply > OK.
Related Articles, References, Credits, or External Links