IE8 error with Certificate
I have installed a certificate with multiple Common Names on a Red Hat server in the jks format. The web page can be accessed with Firefox and开发者_运维知识库 the certificate gets imported. However, IE8 gives the error "Internet Explorer cannot display the webpage".
I added the cert with MMC and its properties shows "This certificate has an nonvalid digital signature.". Also the cert doesn't have the URL of the web page in it. The cert does have a valid signature in Firefox and the URL mismatch is ignored. How can I get IE8 to accept it. This cert is required for another Application (where it works fine) and cannot be changed except to change the format. I already have it in PKCS12, jks and pem formats.
Let me guess: you're running Windows XP or Window Server 2003, and the certificate uses SHA2?
KB Article: Windows Server 2003 and Windows XP clients cannot obtain certificates from a Windows Server 2008-based certification authority (CA) if the CA is configured to use SHA2 256 or higher encryption, with hotfix.
Windows XP/2003 doesn't understand SHA-256; that's why the digital signature is non-valid.
The Firefox uses his own certificate storage, whereas the IE8 uses windows storage. This explain why the certificate can be valid for Firefox and untrusted for IE8.
To resolve the problem try to import certificate including whole chain into Windows certificate store (I don't think you would use IE on another OS). Maybe you will be force to mark the root certificate as valid (you can do it also for your certificate without chain).
Also check the compatibility of sign algorithm with your OS. For example Windows XP (before SP3) cannot handle SHA-2 algorithm.
精彩评论