SIGNIFLOW

Discover our signature platform: sign and request signature for your PDFs in a fex clicks!

JOIN OUR AFFILIATE NETWORK

Join our affiliate network
and become a local SSL expert
Learn more about our program

PRODUCTS TO DISCOVER

SSL certificates Invoice signature eIDAS certificates Signature software

Menu
picture of tbs certificates
picture of tbs certificates
Certificates
ALL CERTIFICATES
SSL Extended Validation SSL Standard RGS certificates eIDAS certificates SSL ECC SSL wildcard SSL Multiple sites / SAN Quick and Dirty SSL
Specific certificates VMC certificates
E-signature Strong authentication S/MIME certificates
Test certificates PKI Solutions Trust Seals
SigniFlow: the platform to sign and request signature for your documents
Signature software
Our products range
TBS X509 DigiCert Thawte Sectigo GlobalSign GeoTrust Certigna ChamberSign SigniFlow Harica
Partners
Client login Customer accounts Open an account
Support
FAQ SHA256: Browsers' compatibility ECC: Browsers' compatibility
Focus
Invoices dematerialization
We now provide solutions compliant with RGS** and eIDAS qualified standards for invoices signature and time stamping. Further information


Disable VeriSign Class 3 Public Primary Certification Authority - G5 (2036) root

The recommendations listed on this page are not up to date. This root is a SHA1 compatibility root used by Symantec. Disabling it to use a cross-signed equivalent would cause certificate chain issues.

Some Microsoft products (such as IIS servers) have a root certification authority called "VeriSign Class 3 Public Primary Certification Authority - G5" expiring in 2036 that interferes with VeriSign server or code signing certificates.

It makes the CO-piBot test fail (test a server certificate online) even if the certification chain has been correctly installed. The problem being that instead of using the intermediate certificate "VeriSign Class 3 Public Primary Certification Authority - G5 (2021)", the server presents the root certificate "VeriSign Class 3 Public Primary Certification Authority - G5 (2036)".
To solve the issue the problematic root certificate must be disabled and the automatic update of the certification authorities deactivated (see Deactivate the certification authorities update on Windows 2003 and 2008 ).

Disable VeriSign Class 3 Public Primary Certification Authority - G5 (2036)

1- Launch the MMC

  • Click   Start then select   Run and type mmc
  • Click on   File and select   Add/Remove Snap in
  • Choose   Add, select   Certificates in the   Standalone Snap-in list and click   Add
  • Select   Computer Account and click   Next
  • Choose   Local Computer and click   Finish
  • Close the window and click OK on the previous window

2- Locate the certificate to disable

  • Deploy the hierarchy to go to Trusted Root Certification Authorities then Certificates
  • Find the certificate among the list 
    	Common Name - VeriSign Class 3 Public Primary Certification Authority - G5
	Expiry Date -  16 July 2036
        Serial Number - 18 da d1 9e 26 7d e8 bb 4a 21 58 cd cc 6b 3b 4a
  • To disable the certificate, right-click on it then select properties
  • In the Certificate purposesarea, tickDisable all purposes for this certificate
  • Click OK. You can now close the MMC.

3- Reboot the server

Under IIS6, stop and start the website can be enough, but generally the machine needs to be restart. Firstly stop and start the website then test your certificate with CO-piBot (Test a server certificate online ), if it does not work, reboot the machine.

If it still does not work, go back to the second step and disable VeriSign G5 2036 root and reboot the machine.