TBS-certificates' FAQ - Frequently Asked Questions > Install a certificate > Install a X509 / SSL certificate on a server ( Web / HTTP / OWA / Email / POP / IMAP / FTP ...) > Install a Microsoft IIS5 or IIS6 certificate :

Tweeter

Certificates

Comparison chart

Browsers

SSL EV

SSL Standard

SSL 128-bit

SSL wildcard

SSL SAN

Developer certificate

User certificate

Test certificates

PKI

The Trust Seals

Our products range

TBS X509

VeriSign / Symantec

Thawte

Comodo

GlobalSign

ChamberSign

GeoTrust

Partners

Client login

Open an account

FAQ

The Lab

Focus

VeriSign Trust Seal

Norton Secured Seal

As a VeriSign major partner, TBS internet is the first company in Europe to offer the VeriSign trust logo, the most recognized worldwide. An SSL certificate is no longer required as the seal is available after an organisation audit and comes with a malware detection system. More details...

Disable VeriSign Class 3 Public Primary Certification Authority - G5 (2036) root

Some Microsoft products (such as IIS servers) have a root certification authority called "VeriSign Class 3 Public Primary Certification Authority - G5" expiring in 2036 that interferes with VeriSign server or developer certificates.

It makes the CO-piBot test fail (Test a server certificate online) even if the certification chain has been correctly installed. The problem being that instead of using the intermediary certificate "VeriSign Class 3 Public Primary Certification Authority - G5 (2021)", the server presents the root certificate "VeriSign Class 3 Public Primary Certification Authority - G5 (2036)".
To solve the issue the problematic root certificate must be disabled and the automatic update of the certification authorities deactivated (see Deactivate the certification authorities update on Windows 2003 and 2008 ).

Disable VeriSign Class 3 Public Primary Certification Authority - G5 (2036)

1- Launch the MMC

Click Start then select Run and type mmc
Click on File and select Add/Remove Snap in
Choose Add, select Certificates in the Standalone Snap-in list and click Add
Select Computer Account and click Next
Choose Local Computer and click Finish
Close the window and click OK on the previous window

2- Localize the certificate to disable

Deploy the hierarchy to go to Trusted Root Certification Authorities then Certificates

Find the certificate among the list

	Common Name - VeriSign Class 3 Public Primary Certification Authority - G5
	Expiry Date -  16 July 2036
        Serial Number - 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a

To disable the certificate, right-click on it then select properties
In the Certificate purposesarea, tickDisable all purposes for this certificate
Click OK. You can now close the MMC.

3- Reboot the server

Under IIS6, stop and start the website can be enough, but generally the machine needs to be restart. Firstly stop and start the website then test your certificate with CO-piBot (test a server certificate online ), if it does not work, reboot the machine.

If it still does not work, go back to the second step and disable VeriSign G5 2036 root and reboot the machine.

Anonymous [ settings | log in ]

Last edited on 04/11/2012 07:30:59 --- [search]