SSL Certificate Managed PKI Personal ID MyTRUST MyKAD ID SSL VPN Managed Security Services VeriSign Certified Training Application Development
WhitePapers PKI Glosary Brochures

 

  SSL Support
 
Troubleshooting FAQ
 
  Failed to Verify for all intended purposes error
  CAP 12 or CAPI2 Error - 80093005
  Page Cannot be Displayed
  Internet Explorer 5.5 enrolment error
  IIS-4 Server connecting with Netscape 4.7 (or similar) 56bit browser
  iPlanet 4.x server connecting with MS Internet Expolorer 5.x 56bit borwsers
  Apache ModSSL server connecting to MS Internet Explorer 5.x 56bit browsers


Failed to Verify for all intended purposes error

When viewing a certificate in Internet Explorer it can return a failure to verify for all intended purposes error when connecting to a secure page.




VeriSign and Microsoft have determined that there is a slight user interface error between Internet Explorer and VeriSign Global Server Certificates. However, this error DOES NOT affect the basic functionality or security of the two products. Furthermore, the user interface implications should be invisible to most users.

VeriSign Global Server IDs are intended to enable 128 bit strong encryption communication sessions between browsers (both import and export versions) and servers which have a Global Server ID. Users of Microsoft Internet Explorer are, in fact, able to connect successfully to a server using a VeriSign Global Server ID, and will do so using strong encryption. 128 bit SSL is established automatically, with no special action needed on the part of end users.

In most SSL sessions, when a user clicks on the padlock icon in Internet Explorer, they are able to easily view the contents of the certificate and verify the strength of the communication session. When a user clicks on the padlock icon in Internet Explorer when connecting to a site using a Global Server ID, they may see a message that says "This certificate has failed to verify for all of its intended purposes."

This error is due to Internet Explorer not recognising a specific object ID (OID) describing the contents of the certificate. However, the effect is limited to one of user interface. The user will, in fact, connect at 128 bits. If fact, if the user clicks on the "Certificate Path" tab in the same dialog box, a dialog will show that the certificate indeed verifies and is trusted for all intended purposes.

Microsoft and VeriSign take this user interface error seriously. We are aware that Microsoft are taking steps to correct the situation. For more information regarding this please contact Microsoft support with any enquiries: http://support.microsoft.com

[back to top]
 
CAP 12 or CAPI2 Error – 80093005
This error code appears to only occur with Microsoft IIS 4.0 servers, and effects both Secure and Global server certificates.
This error usually occurs during the installation process, after entering the password.
Common Causes:

  Sometimes an exchange server can re format the certificate content in the issuance email – For example: It may add spaces at the beginning or end of the lines. To check this, copy and paste the certificate into Notepad (including the -----BEGIN----- and -----END----- lines) or another plain text editor. Check the formatting and remove any white spaces at start or end of each line. The certificate should look like:
-----BEGIN CERTIFICATE-----
MIAGCSqGSIb3DQEHAqCAMIACAQExADALBgkqhkiG9w0BBwGggDCCBdYwggU/oAMC
AQICECHd8hmIcJGamlNvoVO8feowDQYJKoZIhvcNAQEEBQAwgboxHzAdBgNVBAoT
FlZlcmlTaWduIFRydXN0IE5ldHdvcmsxFzAVBgNVBAsTDlZlcmlTaWduLCBJbmMu
MTMwMQYDVQQLEypWZXJpU2lnbiBJbnRlcm5hdGlvbmFsIFNlcnZlciBDQSAtIENs
YXNzIDMxSTBHBgNVBAsTQHd3dy52ZXJpc2lnbi5jb20vQ1BTIEluY29ycC5ieSBS
dXRoZW50aWNhdGVkIGJ5IGVTaWduIEF1c3RyYWxpYSBMaW1pdGVkMScwJQYDVQQL
Ex5NZW1iZXIsIFZlcmlTaWduIFRydXN0IE5ldHdvcmsxIDAeBgNVBAoUF2VTaWdu
IEF1c3RyYWxpYSBMaW1pdGVkMRkwFwYDVQQLFBBDdXN0b21lciBTZXJ2aWNlMSAw
HgYDVQQDFBdlc21jY3NkczAxLmVzaWduLmNvbS5hdTCBnzANBgkqhkiG9w0BAQEF
-----END CERTIFICATE-----


If you still receive the same error when installing this "clean" certificate, the error is probably caused by one of the following:

  The password used when generating the CSR cannot be more that 7 characters.
  After generating the CSR in key manager a key with a red slash through it will be displayed. This contains the unique private key for the certificate request and must be present for the installation. Accidental deletion or not committing the changes in key manager after generating the CSR will cause the key to be lost and installation impossible.
  Global Server Certificates require the certificate to be parsed using Microsoft’s SCGInst.exe file. (See the Installation Instructions for Global Server Certificates). If you attempt to run the SGCinst on a Secure Server Certificate or attempt to install a Global Server Certificate into Key manager with out running the SGCinst you will get the error.

The solution is to REPLACE your certificate. It is best to clear the key manager of any unused CSRs and generate a new clean CSR containing the same Distinguished Name as the previous CSR.
If you are still receiving the CAP12 error after you have exhausted the possible causes listed above, please contact MSC Trustgate Customer Service for further assistance.
[back to top]
 
Page Cannot be Displayed
If after installing your server certificate, you are unable to establish a secure session (HTTPS) and your browser is returning “Page Cannot be Displayed” you should first check the following:

  Ensure that the Installation Instructions used were correct for your web server.
  Check the server has been restarted after installing the certificate. If this is not done problems may be encountered in connecting to the SSL site.
  The connection must be made using the correct common name as it appears in your certificate. Some browsers will not be able to connect to a SSL site if an IP address or machine name is used. To resolve this either update the DNS or add a host file entry to the PC being used for testing.
  Server Bindings (IP and port settings) should be confirmed. Generally server configuration requires the internal IP address, and the SSL port of 443 to be set. This process will be different depending on the web server software you are running – you should consult your server documentation for exact procedures.
  The firewall/proxy properties should also be checked. To achieve an SSL connection, Traffic must be enabled in both directions on port 443. If this has not been done, https connections will fail.
[back to top]
 
IE 5.5 enrolment error
When enrolling for a server certificate it is important to fill in each field correctly. If any mistakes are made on the enrolment page (step 5 of 7) you will receive an error page when you submit the request. When you go back to the enrolment page, correct the mistake and attempt to submit again, IE 5.5 browsers may give the following or similar error:



In fact each field will still contain the original data and exclamation marks will probably not be visible.
The solution is to confirm that all the fields have accurate data and then TAB through each field on the enrolment page. You will then be able to submit the request.
We apologize for the inconvenience. This error only occurs with IE 5.5 and only occurs if an error page is presented during an enrolment.
[back to top]
 
IIS-4 Server connecting with Netscape 4.7 (or similar) 56bit browser
Export versions of Netscape Communicator 4.7x (56-bit encryption) may crash or fail to connect to the Web site, and display a "memory access violation" error. Sometimes an "Invalid Page Fault" may be displayed or more commonly a Security Library error will occur.

IE connections will not be effected, nor should Netscape 40 or 128 bit browsers.
Microsoft has advised of a server-based fix - running a Hotfix on the server.
[back to top]
 
iPlanet 4.x server connecting with Microsoft Internet Expolorer 5.x 56bit borwsers
You may encounter a "Page cannot be displayed" error when accessing a Global Server Certificate on an iPlanet server with an IE 5.x 56bit browser.
Connections with all IE 40bit & 128bit browsers and all Netscape browsers will connect without error.

[back to top]
 
Apache ModSSL server connecting to Microsoft Internet Explorer 5.x 56bit browsers
You may encounter a "Page cannot be displayed" error when accessing a Global Server Certificate on an Apache ModSSL server with an IE 5.x 56bit browser.
Connections with all IE 40bit & 128bit browsers and all Netscape browsers will connect without error.
[back to top]