Start SSL/Kaspersky SSL Validation Issue

Using Windows 7 SP1 with IE10

Rev 01 1-15-2014


Scope: This document describes a fix for Kaspersky Internet Security 2014 and free certificates. Basically, Kaspersky is unable to validate the certificate using OCSP because either StartSSL does not support it or the server is unavailable (I haven’t even checked on that). The fix involves either Group Policy (in an AD domain) or the local security policy.

·         This should also work on Windows 8, Server 2003, Server 2008 & R2, Windows 2012 & R2, but I have not tested it at this time.

·         This should work on IR11 also, but has not been tested at this time.

·         Source/Reference:

·         Test Machine: Windows 7 Professional SP1 32 bit, IE 10.0.9200.16750 (10.0.12)


1.       Open gpedit.msc

a.       Expand the following: Computer Confiugration>Windows Settings>Security Settings>Public Key Policies

2.       Double click Certificate Path Validation Settings

3.       Enable “Define these policy settings” (by default, they are “undefined”

a.       Select both “Per user certificate stores” options

b.      Verfiy that “Third-Party Root CAs and Enterprise Root CAs (recommended)” is selected

4.       Select the “Trusted Publishers” tab

a.       Enable “Define the policy settings”

b.      Under “Trusted publisher management” select “Allow all administrators and users to manage user’s own Trusted Publishers” ( or the other options depending on your group policy directives).

5.       Click OK and you are finished!