Good morning friends; I need help but that my end userto install digital certificates below. Inserted in the certificates Trusted Root CertificationAuthority and not succeeded. When the certificate is installed, it falls into the others people in user certificate folder. Can you help me? Marcus

More screen I've imported the certificate chain of trusted root and still did not work,keeps asking the user to install the certificate. Marcus

The problem is that it is not able to download the CRL file. Look on the details tab for each certificate except the root and locate the "CRL Distribution Point" (I don't speak Portuguese, but an online translation would be "lista de certificados revogados" for "Certificate Revocation List" (in the above box it is "informacoes de revogacao do certificado") and "Ponto de Distribuição CRL" for "CRL Distibution Point"). If nothing else have them take a screenshot of each item on the "Detalhes" tab and look for one with urls with a .crl file extension. Possibilities are: 1) Get the CRLs cached on your proxy at that site - the download may be taking too long for the client (if I remember right its 20 seconds for the root and 15 seconds for each subordinate CA) 2) You may need to create a firewall rule to allow the traffic. Probably not, but you never know. 3) You can download the CRL and install it, but then you need to do that every time it needs to get updated, so that's not a great solution. You can use "certutil -addstore root rootca.crl" or "certutil -addstore ca issuingca.crl" to manually install the CRL file. This is a not-so-great workaround, but it exists.

My friend I've also read that message that the CRL was out. I'll try to do some tests with your tip and I'll post the result here. Marcus

Steve. The solution for me to avoid my users to install the certificate would be released into the firewall access to the Root CA? I do not understand . The problem is that my briefcase in the Trusted Root Certification Authorities, they are already installed there. Marcus

The 2 URLs you need to get cached are these: http://www.gstatic.com/GoogleInternetAuthority/GoogleInternetAuthority.crl http://crl.geotrust.com/crls/secureca.crl Alternatively, you could download them as a file and then install them manually (right-click - install CRL - use the defaults , or to script on 2003/vista/2008/win7 = "certutil -addstore ca GoogleInternetAuthority.crl" and "certutil -addstore ca secureca.crl"). Note that you would need to update these again every time they expire - right now this appears to be configured for 30 days, so hopefully they update it at least every 2-3 weeks (but I don't know for sure). If you use firefox, you can download into firefox then it should give you an option to update automatically within firefox - note that firefox keeps its certificate info separate from IE.

Steve now I understend. I'll try to do some tests with your tipand I'll post the result here. Marcus

The problem is that it is not able to download the CRL file. Look on the details tab for each certificate except the root and locate the "CRL Distribution Point" (I don't speak Portuguese, but an online translation would be "lista de certificados revogados" for "Certificate Revocation List" (in the above box it is "informacoes de revogacao do certificado") and "Ponto de Distribuição CRL" for "CRL Distibution Point"). If nothing else have them take a screenshot of each item on the "Detalhes" tab and look for one with urls with a .crl file extension. Possibilities are: 1) Get the CRLs cached on your proxy at that site - the download may be taking too long for the client (if I remember right its 20 seconds for the root and 15 seconds for each subordinate CA) 2) You may need to create a firewall rule to allow the traffic. Probably not, but you never know. 3) You can download the CRL and install it, but then you need to do that every time it needs to get updated, so that's not a great solution. You can use "certutil -addstore root rootca.crl" or "certutil -addstore ca issuingca.crl" to manually install the CRL file. This is a not-so-great workaround, but it exists.

Are things working better yet?

Steve My problem was in my content filter. As your tip. Thank you. Marcus