Digital Certificate and Problems with Windows XP/2000

Suresh Chandra

unread,

Jul 8, 2006, 6:37:01 AM7/8/06

to

Dear All,

I have a digital certificate which when opened (double-clicking) with
Windows 2000 Professional or Windows XP shows the following error message

"The integrity of this certificate cannot be guaranteed. The certificate may
be corrupted or may have been altered"

The same certificates opens up without any such error in Windows 98/Windows
NT machines.

Is this any Patch problem ?

If yes, Please let me know which patch has to be applied?

Mitch Gallant

unread,

Jul 8, 2006, 6:58:29 AM7/8/06

to

Is this a self-signed certificate or a cert with an older issuing CA?
Can you post the certificate in question?
- Mitch

"Suresh Chandra" <Suresh...@discussions.microsoft.com> wrote in message
news:F29A1964-4B9E-4A2F...@microsoft.com...

Suresh Chandra

unread,

Jul 8, 2006, 10:34:01 AM7/8/06

to

No, neither is it a self-signed cert nor is the CA older !

Will it be useful if i post the ASN.1 dump of the certificate ? How do i
upload the certificate ?

Mitch Gallant

unread,

Jul 8, 2006, 11:04:41 AM7/8/06

to

Export the certificate (in IE Certs export dialog) as b64 and paste it into
a posting to this thread. Then we can have a look.

"Suresh Chandra" <Suresh...@discussions.microsoft.com> wrote in message

news:1AA2E4E0-8EF1-4116...@microsoft.com...

Suresh Chandra

unread,

Jul 9, 2006, 7:45:01 AM7/9/06

to

Oh, Sorry, Base64 option didn't strike my mind at all !

Here is the certificate in question in base64 format. Thank you in advance

Mitch Gallant

unread,

Jul 9, 2006, 8:30:08 AM7/9/06

to

Fails verification on XP Pro spe because the certificate was issued (signed)
by a CA :
"HDFC Bank Certification Authority"
unknown to the standard XP Trusted Root CA list, at least in my version of
XP Pro sp. Because the issuers certificate isn't available, that issuer's
signature (on the BIPLAB) cert. can't be verified (because the HDFC public
key is not available).

Check the 2 working systems. They certainly have thd HDFC CA cert installed.

- Mitch

"Suresh Chandra" <Suresh...@discussions.microsoft.com> wrote in message

news:022D63AE-FFCB-42EC...@microsoft.com...

> Oh, Sorry, Base64 option didn't strike my mind at all !
>

-- snip

Suresh Chandra

unread,

Jul 10, 2006, 12:03:02 AM7/10/06

to

No. I am not talking about the default message that you get when the CA
Certificate is not installed in the Trusted Store.

After installing the CA Certificate into the Trusted Store when i
double-click on the user certificate i get the error

"The integrity of this certificate cannot be guaranteed. The Certificate may
be corrupted or may have been altered".

This error is shown on the "General" Tab while the error "This certificate
has an nonvalid digital signature" is shown when you goto the "Certification
Path" Tab

The CA Certificate in PEM format for your ref

The same thing when tried out in a Windows 98/NT machine works fine.

Mitch Gallant

unread,

Jul 10, 2006, 7:25:14 AM7/10/06

to

Looks like the signature on the BIPLAL certificate is not valid or is
corrupted for some reason:
"This certificate has an nonvalid digital signature."
The signature (self-signed) on the CA cert is valid however.
How was the BIPLAB certificate generated?

- Mitch

"Suresh Chandra" <Suresh...@discussions.microsoft.com> wrote in message

news:8411373F-45D6-4729...@microsoft.com...

Mitch Gallant

unread,

Jul 10, 2006, 8:15:34 AM7/10/06

to

hmmmmm the actual CA signature in the BIPLAB signature might be incorrect.
The ANS.1 for it starts:
03 82 01 00 00
which indicates 256 bytes (01 00 hex) .. but the first byte of the RSA
signature is a null which doesn't seem correct. Usually the ASN.1 spec for
the signature is 257 with a leading null byte in signature data and then
next byte is NOT null.
(however the signature on the CA cert is verified correct, with 257 bytes of
data:
03 82 01 01 00 30 ....

- Mitch

"Mitch Gallant" <jens...@community.nospam> wrote in message
news:%23qIgIOB...@TK2MSFTNGP05.phx.gbl...

Suresh Chandra

unread,

Jul 10, 2006, 11:05:01 AM7/10/06

to

You are right, the signature cannot have the MSB as 0x00. Thank you very much
the help and the time you spent.

Mitch Gallant

unread,

Jul 10, 2006, 4:47:52 PM7/10/06

to

Yes, to "fix/patch" the certificate you only need to:
(1) change 3rd and 4th bytes of der cert:
FROM 03 4B TO 03 4C (since you are adding one byte below in step
2)

(2) starting at byte 024B:
change FROM 03 82 01 00 TO 03 82 01 01 00

(so you are adding a null byte and changing the byte length of signature
from 01 00 to 01 01)

The resultant certificate verifies against your root.

- Mitch

"Suresh Chandra" <Suresh...@discussions.microsoft.com> wrote in message

news:C32E4970-0F2A-4479...@microsoft.com...

Mitch Gallant

unread,

Jul 10, 2006, 4:50:36 PM7/10/06

to

and note that the actual 128 byte pkcs1 signature in this case DOES start
with a null, which has about 1:128 probability of occuring. The asn.1 der
encoding was the actual problem (needed the beginning null byte).

"Mitch Gallant" <jens...@community.nospam> wrote in message

news:%23%23ARoIGp...@TK2MSFTNGP03.phx.gbl...

Mitch Gallant

unread,

Jul 10, 2006, 5:17:14 PM7/10/06

to

whoops .. .since you have a 2048 bit cert, that should be 256 byte pkcs1
signature.

"Mitch Gallant" <jens...@community.nospam> wrote in message

news:ehn8JKGp...@TK2MSFTNGP05.phx.gbl...

Suresh Chandra

unread,

Jul 12, 2006, 1:39:01 AM7/12/06

to

Mitch, Thank you very much.