Exchange Remote Connectivity Analyzer SSL "error"
jibbajabba
Member Posts: 4,317 ■■■■■■■■□□
in Off-Topic
Not so much an error per-se, but a warning really and I am wondering what that actually mean. It doesn't affect the functionality so it is more out of curiosity.
Basically the only warning I am getting (when testing rpc over http) is
The certificate is bought from a cheap provider so I expect something not to work anyway
Does that mean that Microsoft simply doesn't acknowledge the provider as root CA ?!?
Edit:
Windowsupdate doesn't find any new updates. I think the last time I saw Windowsupdate download updates for root certificates was on XP.
I even checked the group policies and update of root certificates is not disabled.
I also checked the certificate store and I see that the particular root certificates won't expire until 2038/2040.
I even downloaded the update manually
http://www.microsoft.com/download/en/details.aspx?id=6149
Which doesn't do anything (executing that is) ...
Basically the only warning I am getting (when testing rpc over http) is
Analyzing the certificate chains for compatibility problems with versions of Windows. Potential compatibility problems were identified with some versions of Windows. Additional Details ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
The certificate is bought from a cheap provider so I expect something not to work anyway
Does that mean that Microsoft simply doesn't acknowledge the provider as root CA ?!?
Edit:
Windowsupdate doesn't find any new updates. I think the last time I saw Windowsupdate download updates for root certificates was on XP.
I even checked the group policies and update of root certificates is not disabled.
I also checked the certificate store and I see that the particular root certificates won't expire until 2038/2040.
I even downloaded the update manually
http://www.microsoft.com/download/en/details.aspx?id=6149
Which doesn't do anything (executing that is) ...
My own knowledge base made public: http://open902.com
Comments
-
Everyone Member Posts: 1,661Weird that RPC over HTTP is the only place it would complain about that. Mobile devices (ActiveSync) is the first area problems with untrusted CAs usually pop up. I had an issue with a VeriSign cert that killed connectivity for a good chunk of my mobile users, and a few OWA users that had outdated cert stores as well. It took a call to VeriSign to get it fixed.
-
jibbajabba Member Posts: 4,317 ■■■■■■■■□□Weird that RPC over HTTP is the only place it would complain about that. Mobile devices (ActiveSync) is the first area problems with untrusted CAs usually pop up. I had an issue with a VeriSign cert that killed connectivity for a good chunk of my mobile users, and a few OWA users that had outdated cert stores as well. It took a call to VeriSign to get it fixed.
As it turns out ExRCA only ever fails when root CAs aren't updated by Windows Update, or as the error says, is incompatible. All it takes for it to fail is that the certificate has been created with a different OS than the OS it is installed on ..
After a lot of research it seems that ExRCA hardly ever passes.My own knowledge base made public: http://open902.com