IE and Edge Troubleshooting: HTTPS Lock Icon / certificate missing?

  • Article

Issue

Where is my Lock Icon of my https site on IE and Edge -certificate missing?

Cause

If you are using SHA-1 certificate , Post after Anniversary update. you will see this on your window 10 machines.

Explanation

Starting with the Windows 10 Anniversary Update, Microsoft Edge and Internet Explorer will no longer consider websites protected with a SHA-1 certificate as secure and will remove the address bar lock icon for these sites. These sites will continue to work, but will not be considered secure. This change will be in upcoming Windows Insider Preview builds soon, and will be deployed broadly this summer. In February 2017, both Microsoft Edge and Internet Explorer will block SHA-1 signed TLS certificates.

This update will be delivered to Microsoft Edge on Windows 10 and Internet Explorer 11 on Windows 7, Windows 8.1 and Windows 10, and will only impact certificates that chain to a CA in the Microsoft Trusted Root Certificate program. Both Microsoft Edge and Internet Explorer 11 will provide additional details in the F12 Developer Tools console to assist site administrators and developers.

Read more

https://blogs.windows.com/msedgedev/2016/04/29/sha1-deprecation-roadmap/#OBO7tFBvmCOBgHV0.99

Example

Here is the Example of one customer come up with SHA 1

Then enabled logging to show them , how to see the cert via logging

 

First Create a logging directory and grant universal access:

First Create a logging directory and grant universal access:

set LogDir=C:\Log mkdir %LogDir% icacls %LogDir% /grant *S-1-15-2-1:(OI)(CI)(F) icacls %LogDir% /grant *S-1-1-0:(OI)(CI)(F) icacls %LogDir% /grant *S-1-5-12:(OI)(CI)(F) icacls %LogDir% /setintegritylevel L

Enable certificate logging

Certutil -setreg chain\WeakSignatureLogDir %LogDir% Certutil -setreg chain\WeakSha1ThirdPartyFlags 0x80900008

Use the following command to remove the settings after you have completed your testing.

Certutil -delreg chain\WeakSha1ThirdPartyFlags Certutil -delreg chain\WeakSignatureLogDir

 

Resolution

Upgrade your cert with SHA256 signature algorithm . Customer will be doing it shortly