Certificate Error on Windows XP

The new security updates for Windows XP also causes certificate error (the default browser is IE) when the computer tries to connect to https websites. The cause of this is a patch from Microsoft, which makes it more difficult by encrypting and digitally signing the downloaded certificates. This means that the certificates are encrypted with MD5 and SHA-1. These certificates can be trusted through what is called chain of trust. From trusted root certificate authority via intermediate CAs to website server certificate, each step in the chain must be verified by several checks before the connection can be allowed. So if any verification fails along this path, then there’s a good chance that you’re connecting with an imposter or someone trying to spy on you while accessing your information.

This was the original plan of Microsoft, but this is causing several problems to Windows XP users who are unable to access secure websites, and cannot download a new browser not updated with this new security patch. As of writing this article, Internet Explorer 8 / 9 users can still be able to login to Facebook and other SSL protected sites while Chrome & FireFox user may receive a certificate error instead. So if you’re on Windows XP and have been experiencing certificate errors when browsing web using IE, then read on for possible solutions that I’ve found: 1) Run regedit Using the run command in start menu search box, type “regedit” (without quotes) and press Enter. This will open Registry Editor program.

If you’re using 64bit Windows XP 64-bit edition, then the program will be “regedit.exe” instead. The registry editor is a powerful tool that allows you to access and modify settings in Windows Registry, which is central storage for all of the configuration information and options for programs, hardware installed on your computer, installed services, user preferences etc…

2) Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\OID

If this key does not exist, create it manually by Right clicking on Cryptography key > New > Key.

From right pane double click on OID sub-key and set its value data to 2147483648 (Decimal) – you can use the Decimal value edit box at the top of right pane. This makes all SSL certificates trusted on your system and removes certificate error from IE. 3) Restart Windows and check if it works

If you’re wondering why this is happening, then I’ll explain a bit more in details. By default Certificate Trust List (CTL) is stored into “systemroot\System32\CertSrv” folder in two files named ctldlg.rpl and scertlg.rpl respectively for 32bit & 64bit Windows XP editions respectively. The security patch caused some changes to CTL which made it so confusing that old browsers like MSIE 6/7 no longer trust new certificate authorities while new browsers like IE 8/9 (SSL) are still using CTL to verify SSL certificates. The patch also affects new software developed for use with Windows XP, like Google Chrome & Mozilla Firefox browsers that were not updated by their developers yet to support this new security patch from Microsoft.

The solution is simple – we make the registry modification mentioned above and change its value data to 2147483648 which is the highest value possible in unsigned long integer field. Since certificate authorities trusted before remain trusted now, all you need do is just stay on top of updates regarding these newer browser versions released by their developers. You can also contact your system administrator or internet service provider (ISP) for instructions on how to update the security patch.

So that’s it for now… Hope you find this article useful on fixing certificate error in Windows XP. If you have more questions on other topics like Certificate Error Firefox, SSL Certificate Authority, Microsoft Root Certificate etc… then post them in our forums and we’ll try to answer them as soon as possible. To keep up with latest updates follow us at Facebook .