Troubleshooting Web Certificate Issues in IE
Posted by William Diaz on September 4, 2013
A while back ago one of our internal servers presented an issue to us. While trying to navigate to it, we were running into the following warning: “There is a problem with this website’s security certificate…”
The real problem was that clicking the Continue to this website (not recommended) link didn’t let you proceed to the login page, it would simply refresh this page each time. To explorer causes with certificate issues in Windows you simply need to enable CAPI2 logging. CAPI is Microsoft’s cryptography API. Logging can be enabled by going into the Windows event viewer > selecting Application and Services Logs > Microsoft > Windows > CAPI2:
Right-click the Operational log and select Enable Log. Recreate the issue, right-click the log again, select Disable Log, and look at the individual events, especially those error events. You will need to scan through the Details tab to isolate the issue as no general information is provided. This is not as bad as it looks. You don’t necessarily need to understand everything you are looking at. The Internet and your favorite search engine can handle the rest. In this case, I started by copying the ErrorStatus lines that had a boolean of true into my search engine. I hit pay dirt when CERT_TRUST_HAS_WEAK_SIGNATURE pointed me to this Microsoft KB article Microsoft Security Advisory: Update for minimum certificate key length. In short, Microsoft disabled support for weak key lengths, i.e. lengths that were not equal to or more than 1024 bits. From the certificate error below, I could see that the key length for the certificate the server was using was only 512 bits long:
To work around the issue, we needed to enable support for weak certificates on those workstations that needed access to the site. To do this, open an elevated command prompts and type certutil -setreg chain\minRSAPubKeyBitLength 512. See the KB article for more command line options. This can also be toggled in the registry at HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config and creating a DWORD of minRSAPubKeyBitLength equal to 512.