# Windows – Expired web/SSL certificate error on only one computer

certificatesslssl-certificatewindows 7

I have a strange problem with one website's SSL certificate that only affects one computer Windows 7 operating system. The site works fine on other Win 7 computers with no error, pulling valid certificates. I do not own or administer the website, but because the site works perfectly on all other computers, I doubt it's a problem with the site. The "problem computer" is a Win 7 machine, and the error happens with every Win 7 user and every browser (or at least IE10, Chrome, and Firefox). I should add that when I boot this "problem computer" to Ubuntu from a USB key, a valid certificate is pulled.

The domain has private and public users, so I would rather not use the real domain here. Instead, I'll use one of Microsoft's fake domains (contoso.com) to illustrate the problem. The certificate appears to apply to *.contoso.com, but it only appears when I try to access https://a.contoso.com. When I access https://b.contoso.com, I get a different and valid certificate that also applies to *.contoso.com.

EDIT: Browser/Win 7 images of the certificate errors deleted from the original post in favor of openssl output below.

This has been a problem since the certificate expired on December 10, 2014. I have tried going into certmgr.msc > Trusted Root Certification Authorities > Certificates and deleting all of the GeoTrust certificates for both the Current User and the Computer accounts. A new GeoTrust Global CA certificate appeared after reboot, but that did not resolve the situation. Again, this problem affects all users on only one computer regardless of the browser used. Further, it does not affect those same domain users if they log into another computer.

Here are some other solutions I've tried:

• Rebooting (of course).
• Using the Clear SSL State button in inetcpl.cpl > Content
• Accessing the site using this "problem computer" from several different public WiFi networks.
• Using certutil -setreg chain\ChainCacheResyncFiletime @now to invalidate current CRL cache entries as per http://blogs.technet.com/b/pki/archive/2007/09/13/how-to-refresh-the-crl-cache-on-windows-vista.aspx
• Used the Copy to File button in the Certificate > Details box on a working computer to copy a working certificate to a file which I then transferred to and installed on the computer with the expired certificate. + reboot, no luck.

Am I correct in assuming this is a problem with the individual computer and not the site hosting the page? And if that's correct, is there a way to force this computer to drop the expired certificate and get the new one that all the other computers are getting?

UPDATE: I appear to be partially correct in my assumption that this is not a problem with the site hosting the page. I assumed it was a problem with the computer, itself, but now it appears to be a problem with the Win 7 operating system installed on this "problem computer" only. I come to this conclusion because other computers running Win 7 pull valid certificates and because this "problem computer" pulls a valid certificate when it is booted into Ubuntu from a USB key. Only when this "problem computer" boots into Win 7 does the expired certificate appear. With that knowledge, is there a way to expunge the expired certificate from Win 7 more successfully than the ones I've listed (which have all failed) above?

Edit: here's the output from openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout on the "problem computer", using Cygwin from the Win 7 operating system. Note the Validity attribute that shows the certificate to expire on Dec 10 21:59:20 2014 GMT:

$openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout depth=1 C = US, O = "GeoTrust, Inc.", CN = GeoTrust SSL CA verify error:num=20:unable to get local issuer certificate verify return:0 Certificate: Data: Version: 3 (0x2) Serial Number: 113752 (0x1bc58) Signature Algorithm: sha1WithRSAEncryption Issuer: C=US, O=GeoTrust, Inc., CN=GeoTrust SSL CA Validity Not Before: Oct 8 16:20:07 2012 GMT Not After : Dec 10 21:59:20 2014 GMT Subject: serialNumber=ibWVTrZnhDvyhydnlXKodqBj0Azl-unn, C=US, ST=Colorado, L=Denver, O=ContosoCompany, OU=ContosoDepartment, CN=*.contoso.com Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (2048 bit) Modulus: 00:df:41:d1:5b:bd:00:68:2c:5e:72:65:39:b6:ac: 7d:67:46:64:f9:c7:07:93:89:80:bd:27:77:f0:40: 6f:61:3b:58:96:bc:cb:a3:f9:40:ad:63:27:b3:e3: fb:c6:87:dc:c8:af:9e:0e:79:c4:e2:09:31:34:e8: c4:2a:7c:77:f1:88:41:c3:b3:b4:88:50:d0:3b:c9: 34:ac:61:e2:4d:a1:cd:6d:4e:db:73:25:eb:b7:f7: 82:95:2d:48:10:f7:78:25:a8:c8:05:a0:bd:07:6b: 7c:b9:09:e4:73:1a:ae:b7:8b:cd:9a:ef:58:39:70: c3:20:5d:ab:8e:f0:c3:fc:96:d9:07:80:e1:88:e8: b3:83:18:1c:ba:28:9b:a6:45:7f:0f:98:9b:cb:53: 29:c6:9e:d5:9c:26:40:bd:81:0d:bc:b3:06:90:9a: a3:25:98:bb:b1:b3:0d:e6:7f:4e:93:8e:ee:b4:de: 15:3c:45:ac:1f:41:3d:e1:5e:de:3c:bb:ce:97:40: fa:10:43:1a:bc:44:2a:55:fe:c2:e0:e0:6a:c3:17: 08:a6:ca:51:de:44:0a:c0:28:32:58:a4:f5:1a:ed: c0:8f:40:22:6a:05:1a:9c:2c:20:39:24:83:10:36: a0:49:79:4b:50:9e:ea:e7:5d:d2:57:54:a5:a3:24: 6b:2d Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Authority Key Identifier: keyid:42:79:54:1B:61:CD:55:2B:3E:63:D5:3C:48:57:F5:9F:FB:45:CE:4A X509v3 Key Usage: critical Digital Signature, Key Encipherment, Data Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Subject Alternative Name: DNS:*.contoso.com, DNS:contoso.com X509v3 CRL Distribution Points: Full Name: URI:http://gtssl-crl.geotrust.com/crls/gtssl.crl X509v3 Subject Key Identifier: EE:49:78:68:84:FF:89:18:BE:21:E9:34:73:32:59:33:2E:93:B3:2B X509v3 Basic Constraints: critical CA:FALSE Authority Information Access: OCSP - URI:http://gtssl-ocsp.geotrust.com CA Issuers - URI:http://gtssl-aia.geotrust.com/gtssl.crt X509v3 Certificate Policies: Policy: 2.16.840.1.113733.1.7.54 CPS: http://www.geotrust.com/resources/cps Signature Algorithm: sha1WithRSAEncryption 82:bc:a7:50:e1:36:7c:c0:67:cc:40:56:7b:22:a2:c2:98:2c: 01:12:b0:6f:0d:01:97:4e:a6:19:5a:d0:eb:61:22:c8:6e:05: 07:a2:97:2a:4e:4f:0b:a4:af:f4:3b:2c:42:e4:21:6d:4a:b1: e8:47:2c:71:56:fb:ec:49:59:97:a7:0f:54:f2:0e:06:cf:e7: 6a:4c:f7:33:d1:21:aa:bb:e2:a2:c1:85:8e:46:02:e5:e9:93: eb:4e:aa:a5:78:e0:bc:94:a6:58:9d:b4:53:98:21:48:48:4c: 94:dd:3a:96:79:3d:08:ed:25:6c:16:31:1b:e3:a8:9d:4f:7e: c7:9e:bf:d7:c5:06:e0:2e:05:94:54:7a:13:71:a7:8a:24:18: e1:c3:51:16:e7:02:0d:07:71:e7:ae:d8:27:ed:7c:2b:ba:b7: 16:ac:95:50:f0:a4:30:1b:f4:4a:6b:ca:7a:f4:b4:f4:cb:d3: 29:87:a5:b6:03:59:94:c0:f3:7c:91:ee:e7:37:69:3f:b1:fe: 06:a6:62:12:91:30:c5:63:e0:f9:9f:af:a5:dd:de:15:b8:b6: e7:df:78:7a:97:e7:a6:cc:f1:57:e2:b9:00:59:b1:52:03:9c: de:b4:e5:4f:45:22:8a:69:26:5b:27:ca:45:98:d9:c3:5a:32: d5:f7:27:c2  And here's the output from openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout on the "problem computer", running Ubuntu 14.04 from a USB key. Note the Validity attribute here that shows the a valid certificate which expires on Dec 5 14:21:24 2015 GMT: ubuntu@ubuntu:~$ openssl s_client -tls1_2 -connect a.contoso.com:443 -servername a.contoso.com | openssl x509 -text -noout
depth=2 C = US, O = GeoTrust Inc., CN = GeoTrust Global CA
verify error:num=19:self signed certificate in certificate chain
verify return:0
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 686155 (0xa784b)
Signature Algorithm: sha1WithRSAEncryption
Issuer: C=US, O=GeoTrust Inc., OU=Domain Validated SSL, CN=GeoTrust DV SSL CA
Validity
Not Before: Dec  1 23:03:54 2014 GMT
Not After : Dec  5 14:21:24 2015 GMT
Subject: serialNumber=AEv6bwWEDDnubjaF1huAIm7G/hgmDTWE, OU=GT24051799, OU=See www.geotrust.com/resources/cps (c)14, OU=Domain Control Validated - QuickSSL(R), CN=a.contoso.com
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:d3:48:ca:32:bb:e9:a3:f9:75:35:71:f2:c0:78:
2b:22:60:8d:36:91:20:46:d0:d4:09:d0:8d:fa:3e:
e2:bc:23:f6:c1:fc:03:2a:9a:79:da:12:e8:d2:1d:
b2:09:df:af:21:42:94:5c:88:68:43:51:57:40:26:
d1:b2:51:93:59:5e:ba:2f:41:de:c1:5c:04:e3:66:
a3:13:d5:87:de:71:83:cc:03:2a:06:c1:66:29:12:
c8:a5:32:91:74:0a:40:87:d4:e7:d8:32:c3:7e:aa:
57:75:c0:0e:19:75:27:9a:08:40:8c:1a:90:ab:e6:
3a:e7:8c:47:25:ec:d0:61:07:e2:da:a6:86:43:fa:
2b:40:0b:37:c2:63:7b:57:4e:fd:3a:54:ce:f9:c7:
b7:38:c1:2c:65:76:91:7e:84:85:90:c6:3e:65:5d:
e7:57:2f:2f:63:5a:ec:6b:77:6a:9e:9f:2b:f1:40:
c6:8f:14:77:ce:ee:3f:f1:e8:87:5f:a0:c0:18:39:
8b:63:df:a7:3a:68:39:c1:dc:9b:48:ec:65:75:07:
30:b2:6d:91:e8:42:41:cb:a7:33:64:01:21:e2:39:
ab:9d:64:7d:b2:24:2c:2c:69:b3:b1:36:ab:ed:93:
eb:3d:be:0f:2f:b3:13:47:78:ea:be:77:54:e2:be:
ba:71
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:8C:F4:D9:93:0A:47:BC:00:A0:4A:CE:4B:75:6E:A0:B6:B0:B2:7E:FC

X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:a.contoso.com
X509v3 CRL Distribution Points:

Full Name:
URI:http://gtssldv-crl.geotrust.com/crls/gtssldv.crl

X509v3 Subject Key Identifier:
B5:10:8A:28:BE:B2:E8:EA:D2:0C:A9:0B:78:BF:1A:4C:FF:CB:70:BE
X509v3 Basic Constraints: critical
CA:FALSE
Authority Information Access:
OCSP - URI:http://gtssldv-ocsp.geotrust.com
CA Issuers - URI:http://gtssldv-aia.geotrust.com/gtssldv.crt

X509v3 Certificate Policies:
Policy: 2.16.840.1.113733.1.7.54
CPS: http://www.geotrust.com/resources/cps

Signature Algorithm: sha1WithRSAEncryption
8c:da:2b:78:4e:bf:6e:d8:48:4f:2c:e5:5a:06:18:d7:39:99:
fd:29:9d:c4:c3:e4:6b:54:82:df:96:c2:84:49:e1:f6:2c:62:
e0:61:b8:5d:7c:ce:db:38:ab:5f:1c:79:e5:c3:d4:f1:35:2e:
6c:8e:a2:60:f1:69:9f:41:54:0d:f4:1c:76:5e:46:33:60:a1:
bb:22:a9:ca:a2:14:a2:6c:e5:c6:80:dd:cb:e7:0e:f2:8a:5e:
b0:e7:cb:d4:72:3d:01:4f:58:42:9c:7c:81:1f:6e:22:10:0f:
de:1c:d4:54:cd:8e:5c:4b:35:5f:5a:af:b0:78:9f:60:56:1b:
10:64:2d:b7:39:55:be:e2:14:b8:27:5c:af:0e:63:03:27:6a:
bd:a7:14:27:5d:fc:a3:d1:27:3b:e9:23:11:10:63:7d:77:2b:
b2:db:2e:14:d5:e6:eb:80:6d:fc:bd:af:bb:14:9d:28:9c:91:
a4:16:b5:4b:70:4d:54:df:5b:0f:3e:83:40:02:cd:56:fd:7a:
4c:a9:06:2b:45:40:ce:8e:ec:6c:6c:1b:b1:a8:c5:56:fd:60:
dc:f1:bc:7d:27:63:eb:b7:99:d9:ec:8f:63:d7:a0:b6:7b:ea:
b0:1e:b2:4c:89:0c:11:c4:c2:dd:1f:e7:ef:db:44:23:c8:52:
37:40:6a:10


• Answer: The Win 7 operating on the "problem computer" had had its c:\windows\system 32\drivers\etc\hosts file edited. a.contoso.com was hard-coded to point to a particular IP address (say, AAA.BBB.CCC.90). The site at AAA.BBB.CCC.90 still worked but it gave expired certificates. After creating a new site with new certificates (that oddly look the exact same as the old site) at AAA.BBB.CCC.145, the site developers must have re-directed traffic bound for a.contoso.com to the new site at AAA.BBB.CCC.145, which was serving valid certificates. I realized this by using running a trace route (tracert) on one of the working computers which resolved a.contoso.com to AAA.BBB.CCC.145. Running tracert on the "problem computer" yielded AAA.BBB.CCC.90. Browsing directly to AAA.BBB.CCC.145 on the problem computer resulted in a good site with a valid certificate! After I removed the line in host file of the "problem computer" directing traffic directly to AAA.BBB.CCC.90, everything works just fine.