After you upgrade to Microsoft Internet Explorer 6.0 Service Pack 2 (SP2) in Microsoft Windows XP SP2, some SSL-secured (128-Bit) Web pages and Web sites may not work correctly. Frequently, this behaviour is caused by security changes in Windows XP SP2. To determine why the pages do not display correctly, use the following methods in the order that they are presented.

http://support.microsoft.com/default.aspx?kbid=870700&product=windowsxpsp2

Yes, if you do not install all the received certificates you will receive not trusted messages when you go to the secure area of your web site.

First check your backups and see if you can re-install the "pending request" or "private key". If you don't know how to re-install the key from your backups, then contact your systems administrator. Failing that, contact your server software vendor for technical support. The only alternative course of action available is a re-issuance of the certificate following the re-submitting of a replacement CSR.

There may not be a corresponding 'private key' or 'pending request' or the key that is found is not the one that matches the certificates.

Name based hosting is rarely used in production environments.
IP based hosting should be used due to the way that the SSL protocol works.

Is the SSL port opened, this is usually port 443?
Is the firewall set to allow the SSL port through?
Has the server been rebooted?
Make sure 'Use SSL 3.0' is ticked in the web browser options.

The error means that there are embedded objects or HTML tags on the page that are not being called absolutely secure. For example, a page that is loaded securely (HTTPS), and contains an image tag within the source code such as IMG SRC =http://www.yyy.com/image.gif. In this case the image is being called absolutely using the non-secure (HTTP) protocol.

The certificate is not bound to any specific IP address. It is bound to the fully qualified domain name such as www.austdomains.com.

This problem occurs if you assign the same IP address to each host in your config file. SSL does not support name based virtual hosting (host headers are encrypted in SSL), so only the first certificate listed in your config file will be sent.

The Root Certificates and/or Intermediate Certificates may not be installed correctly. This can be checked by clicking on 'View Certificates' when you get the error message and seeing if all three certificates are visible.

It may also be that the certificate being used is not for the Fully Qualified Domain Name, check again using 'View Certificates' to see if the domain name on the certificate matches the domain name in the URL that you are going to.

Check your Internet Option' and make sure that 'Use SSL 3.0' is ticked in the 'Advanced' section.

Microsoft IIS is configured to require a secure channel.
The following steps will allow non-secure (http) connections to your site:
Within Microsoft Internet Information Server, right click on your web site.
Under Secure Communications, click on Edit.
Un-check the box that says 'Require Secure Channel'

If the web server is set to check the Certificate Revocation List and the server is down, this can cause a time-out of the operation. This will not be the certificates, but something related to the browser timing out on the operation.

1. Start the certificates mmc for the web server and select 'All Tasks', 'Export' against the site certificate. Do not choose to export the CA certificates. Specify a password. Specify a filename (e.g. mypkcs12.pfx). Copy the resulting .pfx file to your Apache web server.
2. Then import the private key and cert file into Apache using the following commands:
   
   openssl pkcs12 -in mypkcs12.pfx -out pfxoutput.txt
   
   You'll need to enter the password at least once.
3. Load pfxoutput.txt into a text editor and save each certificate as a separate file. Also save the private key as a separate file (e.g. myencrypted.key).
4. The private key will probably be encrypted at the moment. i.e. looking something like.....
   
   -----BEGIN RSA PRIVATE KEY-----
   Proc-Type: 4,ENCRYPTED
   DEK-Info: DES-EDE3-CBC,.........
   .........
   -----END RSA PRIVATE KEY-----



5. If the version of Apache we're using doesn't allow encrypted private keys, to decrypt the private key run the following command:
   
   openssl rsa -in myencrypted.key-out my.key

To use ASP to force SSL for specific pages follow the directions at the following url: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q239875

Please refer to the following URL on Microsoft's Knowledgebase: http://support.microsoft.com/default.aspx?scid=kb;en-us;232136

Please refer to the following URL on Microsoft's Knowledgebase: http://support.microsoft.com/default.aspx?scid=kb;EN-US;232137

Please refer to the following URL on Microsoft's Knowledgebase: http://support.microsoft.com/default.aspx?scid=kb;en-us;232136

Create a new web site in IIS, then go to the 'Properties', 'Directory Security', 'Server Certificate' tab. Use the certificate wizard to create your new Key/CSR file.

Backup the private key file by following the instructions:

1. Start, run, type mmc, select OK
2. Go into the Console Tab, Add/Remove Snap in
3. Click on Add, Double Click on Certificates and Click on Add, click OK
4. Choose Computer Account, then Local Computer
5. Open up the Certificates Consol Tree
6. Look for a folder called REQUEST, Certificates
7. Highlight the key that you wish to back up
8. Right click on the file and choose, All Tasks, Export
9. Follow the Certificate Export Wizard
10. Choose to mark the Private key as exportable
11. Leave default settings
12. Choose to save file on a set location.
    
    It is important to take a copy of the private key and store it off the server; in the event that the server crashes.
13. Click Finish. You will get message that the export was successful.
14. Save the resultant CSR file to your hard drive indicating it is a renewal CSR. Use this CSR during the purchase process.
15. Once you receive the renewed certificate, install it using the wizard you used to create it on the same NEW website you created.
16. Once installed, go to the correct website you want the certificate to run on.
17. Go to 'Properties', 'Directory Security', 'Server Certificate', remove the certificate currently installed, and assign the certificate you installed in the previous step.
18. Restart the WWW service.

To avoid this error, create a new certificate and verify that there are no special characters in any of the fields in the distinguished name. In particular, do not include a comma in the company name.
The following characters are not allowed in any of the CSR fields:
[! @ # $ % ^ * ( ) ~ ? > < & / \ , . " ']

You are attempting to install a certificate that does not match the private key (Pending request) that is currently residing in the Certificate Wizard. Microsoft IIS 5 only allows you to make one request per site. If you create a new CSR for the same website, your original request (and private key) will be overwritten.
If you have a backup of the private key, you can install the certificate via the MMC if you can restore the request to the REQUEST folder.
Unless you can find the matching private key for the certificate, you will need to have the certificates reissued.

Microsoft has released a fix for this error. Please refer to the relevant knowledge base article Q285821, which can be found at the following url: http://support.microsoft.com/default.aspx?scid=kb;EN-US;q285821

Start the certificates mmc for the web server and select 'All Tasks', 'Export' against the site certificate. Choose to export the CA certificates. Specify a password. Specify a filename (e.g. mypkcs12.pfx). Save the .pfx file in a safe place off the server.

This is a known Microsoft problem: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q295162

1. The intermediate Comodo certificate has not been installed, you must use the one that came with the site certificate.

2. The wrong intermediate Comodo certificate has been installed, you must the one that came with the site certificate.