problems with MSN certificate chain

David Woolley forums at
Fri Jan 18 08:09:48 EST 2013

Matthias Apitz wrote:
> Since today morning I can't connect to MSN anymore; it says that the
> certificates can't be validated;

This is the second report to the list.

I tried using a Windows Pidgin (probably a little dated).  This also 
produces a certificate warning, but I imagine most Windows users would 
just select the option to ignore the problem.

Looking at the certificate, I think the problem is that the certificate 
is for, but the server is 
An earlier certificate for a server in the domain 
( seems to be a wild card certificate (Subject: 

My guess is that someone in Microsoft forgot the "*." when creating the 

I guess a work round for this that treated all MSN certificates as wild 
card, wouldn't compromise security too much, but I suspect the amount of 
work involved is disproportionate, given that the MSN service is in lame 
duck mode.

Easier work rounds are likely to compromise security too much.

I'm not sure how Pidgin handles certificate chains on *nix, as there is 
no standard place for trusted certificates, but the certificate chain 
is:  Baltimore Cyber Trust Root > Microsoft Internet Authority > MSIT 
Machine Authority CA-2 >

I'm concerned about the security of the real Messenger application if it 
is not picking up on this error.

Note that I am in a weakly firewalled environment, so all possible 
options for accessing the servers are open.

David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.

More information about the Support mailing list