Enabling SHA2 Certificate Support on Windows Server 2003

12

A little background information first. I have an SSIS package that runs inside a Windows Server 2003 SP2 32 bit environment. The package recently started failing with the following error during a script task which downloads a webpage using an SSL connection:

"The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Some digging revealed a couple of things: I also could not access the website in question using IE8 from the server (I can with Firefox), and the website had just been issued a new SHA256 certificate.

After doing some research, my current assumption is that the problem is that I don't have support for SHA2 certificates on this server. I grabbed the certificate from the site and ran CertUtil -verify [cert file] which gives the following result:

 The signature of the certificate can not be verified. 0x80096004 (-2146869244)

I found a couple of hotfixes from Microsoft, and from what I understand, either of them should enable support for SHA2 certificates:

So I requested the hotfix for kb968730 and attempted to install it, but got the following error:

The installation cannot continue because the following packages might not be valid:
    KB2616676_V2 c:\windows\system32\dllcache\crypt32.dll 5.131.3790.4905
    KB2616676_V2 c:\windows\system32\crypt32.dll          5.131.3790.4905
Reinstall the packages listed above, and then reinstall KB968730

The version of the crypt32 library that is included with the hotfix is 5.131.3790.4477 which explains why the installer won't proceed.

At this point I'm not quite sure what I need to do. The kb968730 article indicates that crypt32.dll is the only file that is updated by the hotfix which makes me think, since I have a newer version already, shouldn't I already have this functionality? But, it would seem as though I don't, unless I am mistaken about the root cause of the issue.

windows-server-2003
ssl-certificate
hash
asked on Server Fault Jun 20, 2014 by grin0048 • edited Oct 3, 2014 by grin0048

3 Answers

6

The Crypt32.dll 5.131.3790.5235 version fixes the issue (after a reboot). It is available at http://support2.microsoft.com/kb/2868626

The previously installed version was 5.131.3790.5014 version and it did not fix the issue. According to this post (https://mendel129.wordpress.com/tag/crypt32-dll/), there are two variants of the 5014 version: one from Windows Update (KB2661254, does not work) and another as a QFE (KB968730).

answered on Server Fault Sep 29, 2014 by An Phu • edited Jul 29, 2015 by An Phu
3

This problem is solved by installing KB3072630, which is installed automatically if you have Windows Update enabled. The version number of Crypt32.dll is 5.131.3790.5668 after the update.

KB938397 and KB968730 are deprecated and replaced by the update above.

answered on Server Fault Jan 19, 2016 by Vinix
0

I received this error as well. I would go ahead and install the certificate onto the designated server and get this error. My solution was that I had to go ahead and install the root/intermediate cert on each server that called to that specific certificate. This was probably because I had just updated my internal CA.

So if there are X amount of servers that call to that certificate, install it on those servers. That took care of my problem.

answered on Server Fault Sep 28, 2016 by Senciso

User contributions licensed under CC BY-SA 3.0