RE: CA-SSL in IIS

From: Benjamin Meade (ben_at_lanwest.com.au)
Date: 07/16/03

  • Next message: John Canty: "Internet explorer history viewer"
    To: <focus-ms@securityfocus.com>
    Date: Wed, 16 Jul 2003 09:25:08 +0800
    
    

    OK, I got the certificate installed, but for some reason, most browsers
    will not install the certificate. Opera won't even try, and IE says it
    installs, and yet asks if you want to trust this server the next time I
    go there. Mozilla works fine. I have a feeling that it is because the
    the CA's root certificate is not available from the web. Am I on the
    right track? If so, how do I fix it? Can I simply register the CA on the
    webserver, so when the client goes to install the certificate, it grabs
    the CA's as well, or do I have to get them to download it seperately?

    Thanks,

    Benjamin Meade
    System Administrator
    LanWest Pty Ltd

    -----Original Message-----
    From: CORREIA, PATRICK [mailto:pcorreia@cha-llp.com]
    Sent: Wednesday, 16 July 2003 12:10 AM
    To: 'Ed Sunder'; focus-ms@securityfocus.com
    Subject: RE: CA-SSL in IIS

    There is a concept involved here of a "chain of trust". When Verisign
    signs your SSL certificate, they are giving their promise that they
    trust that you are who you say you are. When Joe User comes to your
    site, he has to decide if he trusts Verisign to make that decision. The
    chain can actually be much longer through the use of intermediate
    certification authorities. A user can "install" a certificate as a
    trusted root, meaning they trust the holder of that certificate to sign
    other certificates. This is the benefit of paying a third-party CA --
    their root certificate is already trusted by a default install of most
    browsers, including Internet Explorer.

    In terms of the public web, if you sign certificates with your own CA,
    the certification chain will end with the certificate of your CA, which
    will not be trusted by most clients. So when they visit your web site,
    they will see an error message that the site is trying to establish an
    SSL connection but the identity of the server could not be positively
    established. This will probably scare people, even though the
    encryption will still work to the fullest extent. In a controlled
    environment, you could install the certificate of the CA as trusted on
    all the client machines and you would have no problems at all.

    --
    Patrick Correia, Web Designer
    Clough, Harbour & Associates LLP
    III Winners Circle 
    P.O. Box 5269 
    Albany, New York 12205-0269
    http://www.cha-llp.com
    -----Original Message-----
    From: Ed Sunder [mailto:edsunder@threehd.com] 
    Sent: Tuesday, July 15, 2003 10:50 AM
    To: focus-ms@securityfocus.com
    Subject: RE: CA-SSL in IIS
    What drawbacks are there in becoming your own certificate service?
    Versus one of the major SSL services? Other than that the source of the
    certificate (if the user looked it up) would not be a commercially known
    provider and you couldn't participate in any of the major provider's
    ever so valuable certificate programs.
    Ed Sunder
    Three HD
    ------------------------------------------------------------------------
    -----
    ------------------------------------------------------------------------
    ------
    -----------------------------------------------------------------------------
    ------------------------------------------------------------------------------
    

  • Next message: John Canty: "Internet explorer history viewer"

    Relevant Pages

    • Re: Windows Update repeats
      ... You cannot install some updates or programs ... to a Windows component, install a service pack for Windows or for a Windows ... The Microsoft digital signature affirms that software has been tested with ... Publishers certificate store. ...
      (microsoft.public.windowsupdate)
    • RE: updates after format
      ... if the Microsoft Server is down. ... software you are installing has not passed Windows Logo testing verify its ... When you try to download an ActiveX control, install an update to Windows ... and you do not have the appropriate certificate in your Trusted Publishers ...
      (microsoft.public.windows.mediacenter)
    • Re: ?Expired Security Certif for MS Update
      ... MBSA should run fine on a new install. ... faith in the downloads I have, that used the expired certificate to get ... At the risk of sounding like an alien abductee, this security invasion ... Microsoft and signed by a CA that your computer trusts I would not worry ...
      (microsoft.public.windowsxp.security_admin)
    • RE: CA and Windows mobile 5.0
      ... certificate or Third party certificate? ... How did you install CA on your mobile device? ... If your Windows SBS Server is running ISA Server, ...
      (microsoft.public.windows.server.sbs)
    • Re: Windows Has Blocked Software Because It Cant Verify The Publi
      ... have the option to install the software after you acknowledge the warning. ... Otherwise if you can examine the certificate and trust it you can go to the ... which should keep you from seeing the unknown publisher message. ...
      (microsoft.public.security)