Install self-signed certificate as a Trusted Root on Windows XP

yoshpe picture yoshpe · May 7, 2014 · Viewed 17.7k times · Source

I have successfully installed a self-signed certificate to Windows 7. The procedure was to install it first to the Trusted Root Certification Authorities (Local Computer) and then to install it to the Trusted People (Local Computer). (Without installing it to Trusted People Internet Explorer 11 was still issuing a warning that it cannot be verified up to a trusted certification authority).

I tried repeating the same procedure on a Windows XP machine (yes, they still exist even after their support ended:) without luck. I still get a warning the certificate cannot be verified up to the trusted certification authority. When I look at the Certificates Internet Explorer 8 shows me. The certificate itself is missing (although when looking in certmgr.msc, I can see the certificate). For some reason Internet Explorer chooses to ignore this certificate. Any ideas what's going on?

Answer

yoshpe picture yoshpe · May 8, 2014

Looking at certificate in the Windows Certificate Manager (certmgr.msc). Windows says it "does not have enough information to verify this certificate". When looking at the certificate path, the only certificate that is shown is the certificate itself (with a yellow exclamation mark), and the Certificate status indicates: "The issuer of this certificate could not be found".

I looked carefully at the details of the faulty certificate to find why is it different from other certificates. The issuer's name was clearly correct so this wasn't the problem. The field that drew my attention was "Authority Information Access" The reason was is that it contained extra data with a "URL=http:...name_of_domain.cer". This link is to the intranet the organization uses. I've downloaded the certificate on the intranet and installed it on the client. The certificate became valid, and now it shows two certificates in the "Certification Path"

Conclusions.. It turns out Windows XP is dumb for two reasons:

  1. Installing a certificate that has a chain to the Trusted Root Certificates is not enough for Windows XP. it tries to validate the Root Certificates up to their top of the chain (This doesn't make a lot of sense, since it should be a Root Certificate, and since Windows 7 doesn't follow this behave and accepts the certificate as valid).
  2. Since both the certificates held the same Common Name, Windows XP fails to show that the original certificate does have a chain. and made it alot more difficult to track down the issue.

Hope this helps anyone who will encounter this in the future. (or not since Windows XP supported ended, as we all know:) )