SSL issuer certificate not found after installation

Ouch! With Go Daddy Certificates: I ran into this issue on a server when trying to apply a new Certificate and its intermediate Certificates The issue seemed to be from not having a complete Certificate Chain installed in my servers Certificate Store.

The solution to fix this issue was simple. Download and install the root bundles from here or here:

This in no way is the fault of Go Daddy; the Server I am hosting on; Server 2003 lacks the much needed certificate store updates so it doesn’t know about the newer root CA’s.

That said; Go Daddy is still the best in my book

IIS 7 Error “A specified logon session does not exist. It may already have been terminated.”

I was in the process of updating an IIS7 Website with its newly issued Certificate when I encountered the following issue: “A specified logon session does not exist. It may already have been terminated.”

To resolve this issue:

  • Opened the MMC (start > run > type: mmc)
  • Add\Remove Snap-ins > Select Certificates > Click Add >
  • Choose Computer account > Next > Local computer > Finish
  • Then Clicked OK

Now under Certificates (Local Computer)

  • Select Personal > Certificates
  • Removed the Certificate that was giving me the problem

Again under Certificates (Local Computer)

  • Select Personal > Certificates
  • Right Click Certificates > All Tasks > Import…
  • Click Next > Browse to the new certificate (*tip: use all items view)
  • Select the certificate to import and click Open > Click Next
  • After entering your password; ensure the following are selected: Mark this key as exportable…., and Included all extended properties.

Once done, I returned to IIS and attempted to change the certificate to my new one, and it works without issues. I think this is some sort of bug with IIS7, perhaps there is a fix. For now this works and that’s all I need.

Good luck.


Added Note:

The following system event ID was shown 36870: A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x8009030d. The internal error state is 10001.

What is an intermediate certificate?

I just completed a new CSR (Certificate Signing Request). Upon its completion I was issued my new cert along with an intermediate certificate to be installed on my host server. This gives me the perfect opportunity to share with what an intermediate certificate is.

An intermediate certificate is used to bundle “chains” to your SSL certificate leading back to a root certificate authority. This of it as a proxy or gateway to the source of where all certificates are signed. They provide maximum browser and server coverage to ensure visitors won’t receive “invalid SSL” warnings when they visit your site.

For example, if a certificate issued to “” and issued by “Intermediate CA1”, and the visiting web browser trusts “Root CA”, trust may be established in the following manner:

Certificate 1 – Issued To:; Issued By: Intermediate CA 1
Certificate 2 – Issued To: Intermediate CA 1; Issued By: Intermediate CA 2
Certificate 3 – Issued To: Intermediate CA 2; Issued By: Intermediate CA 3
Certificate 4 – Issued To: Intermediate CA 3; Issued By: Root CA

The visiting web browser trusts “Root CA”, and a secure connection can now be established. Since this process is often called “certificate chaining,” intermediate CA certs are sometimes called “chained certificates”. For enhanced security purposes, most end user certificates today are issued by intermediate certificate authorities. -source

For more info have a look at the following links:

Certificate authorities

Public-key cryptography

Cryptography stubs

Assign an SSL Certificate to Services in Exchange Server 2013

Switching Exchange 2013 over to a public accessible address requires a valid FQDN and a valid SSL Certificate. After installing the certificate on the server we need to find our way to the Exchange Administration Center. Once here do the following:

  • Select Servers, then Certificates
  • Choose the valid Certificate you plan to use and Click edit (double click seems to work also)
  • Select the services to be used by the Certificate – SMTP, IMAP, POP, IIS
  • After making your selection click Save

You will get a warning about the existence of the previous certificate, click Yes.

Now you should be able to test your Outlook Web App by going to the https:// address of your site

How secure are the apps you use on Smart Phones

In my last post I wrote a very brief how-to on how to Capture Traffic from Smart Devices with Fiddler by making it a network proxy. I did just that and the results for a few app’s have upset me. Mainly because it exposes not only my password and user id, it exposed the content that I upload or download. Not Good!

Above is me logging into an application, later followed by my download of content stored on the device. What was shocking at first is that the log on process is all over HTTP, along with all of the communication between my smartphone and the remote server. A man in the middle would love this.

In the /auth_client URL my password along with my email address (user id) was exposed and could be seen clear as day

And then we have the image I downloaded could be captured by the network peeping Tom.

So thinking about this more… How many of us use the same passwords for various services online. If one is captured the would be ‘smart guy’ hacker could use the information they gathered here: email address (log on info) and password and attempt to use them for other known sites. If you are one to use the same password and user id’s then you would have been compromised along with your data

I am not a app developer but I do read up on the guidelines and its clear that many developers are not taking this into consideration when pumping out their app’s to the market place for us to use.

And while SSL helps, the application needs to also validate the SSL Certificate, as some applications do require SSL to be used however they don’t necessarily care if its theirs or the self signed certificate of a would be hacker.  The true test is to force the application to take a SSL cert that isn’t an authoritative it knows (self signed). If it rejects this then your good to go, otherwise you are taking a big risk in using that application on  networks unknown to you.

More so, if you want security then perhaps you (I included) need to use VPN technology on the smart device to ensure the security, and the integrity of the data we value.

This is just one of a few examples I have found. I hope this sparks you to look for others as I have and perhaps reach out to the developers to make the necessary change to protect us all