RE: CA-SSL in IIS

From: Lee Evans (lee_at_vital.co.uk)
Date: 07/16/03

  • Next message: ter Hell, Heiko: "AW: Internet explorer history viewer"
    To: <ben@lanwest.com.au>, <focus-ms@securityfocus.com>
    Date: Wed, 16 Jul 2003 16:38:53 +0100
    
    

    You need to install the root CA certificate (generate this from the CA
    service) into the trusted root-authority certificate store. It sounds to me
    like you've installed the wrong certificate - without trusting the root CA,
    your browswer will pop up a message each time you try to view pages over the
    SSL connection.

    Regards
    Lee

    -- 
    Lee Evans
    Vital Online Ltd
    > -----Original Message-----
    > From: Benjamin Meade [mailto:ben@lanwest.com.au] 
    > Sent: 16 July 2003 02:25
    > To: focus-ms@securityfocus.com
    > Subject: RE: CA-SSL in IIS
    > 
    > 
    > 
    > OK, I got the certificate installed, but for some reason, 
    > most browsers will not install the certificate. Opera won't 
    > even try, and IE says it installs, and yet asks if you want 
    > to trust this server the next time I go there. Mozilla works 
    > fine. I have a feeling that it is because the the CA's root 
    > certificate is not available from the web. Am I on the right 
    > track? If so, how do I fix it? Can I simply register the CA 
    > on the webserver, so when the client goes to install the 
    > certificate, it grabs the CA's as well, or do I have to get 
    > them to download it seperately? 
    > 
    > Thanks,
    > 
    > Benjamin Meade
    > System Administrator
    > LanWest Pty Ltd
    > 
    > 
    > -----Original Message-----
    > From: CORREIA, PATRICK [mailto:pcorreia@cha-llp.com] 
    > Sent: Wednesday, 16 July 2003 12:10 AM
    > To: 'Ed Sunder'; focus-ms@securityfocus.com
    > Subject: RE: CA-SSL in IIS
    > 
    > 
    > There is a concept involved here of a "chain of trust".  When 
    > Verisign signs your SSL certificate, they are giving their 
    > promise that they trust that you are who you say you are.  
    > When Joe User comes to your site, he has to decide if he 
    > trusts Verisign to make that decision.  The chain can 
    > actually be much longer through the use of intermediate 
    > certification authorities.  A user can "install" a 
    > certificate as a trusted root, meaning they trust the holder 
    > of that certificate to sign other certificates.  This is the 
    > benefit of paying a third-party CA -- their root certificate 
    > is already trusted by a default install of most browsers, 
    > including Internet Explorer.
    > 
    > In terms of the public web, if you sign certificates with 
    > your own CA, the certification chain will end with the 
    > certificate of your CA, which will not be trusted by most 
    > clients.  So when they visit your web site, they will see an 
    > error message that the site is trying to establish an SSL 
    > connection but the identity of the server could not be 
    > positively established.  This will probably scare people, 
    > even though the encryption will still work to the fullest 
    > extent.  In a controlled environment, you could install the 
    > certificate of the CA as trusted on all the client machines 
    > and you would have no problems at all.
    > 
    > --
    > Patrick Correia, Web Designer
    > Clough, Harbour & Associates LLP
    > III Winners Circle 
    > P.O. Box 5269 
    > Albany, New York 12205-0269
    > http://www.cha-llp.com
    > 
    > 
    > -----Original Message-----
    > From: Ed Sunder [mailto:edsunder@threehd.com] 
    > Sent: Tuesday, July 15, 2003 10:50 AM
    > To: focus-ms@securityfocus.com
    > Subject: RE: CA-SSL in IIS
    > 
    > What drawbacks are there in becoming your own certificate 
    > service? Versus one of the major SSL services? Other than 
    > that the source of the certificate (if the user looked it up) 
    > would not be a commercially known provider and you couldn't 
    > participate in any of the major provider's ever so valuable 
    > certificate programs.
    > 
    > Ed Sunder
    > Three HD
    > 
    > 
    > 
    > 
    > 
    > --------------------------------------------------------------
    > ----------
    > -----
    > --------------------------------------------------------------
    > ----------
    > ------
    > 
    > 
    > --------------------------------------------------------------
    > ---------------
    > --------------------------------------------------------------
    > ----------------
    > 
    > 
    -----------------------------------------------------------------------------
    ------------------------------------------------------------------------------
    

  • Next message: ter Hell, Heiko: "AW: Internet explorer history viewer"

    Relevant Pages

    • Re: Windows Update repeats
      ... You cannot install some updates or programs ... to a Windows component, install a service pack for Windows or for a Windows ... The Microsoft digital signature affirms that software has been tested with ... Publishers certificate store. ...
      (microsoft.public.windowsupdate)
    • RE: updates after format
      ... if the Microsoft Server is down. ... software you are installing has not passed Windows Logo testing verify its ... When you try to download an ActiveX control, install an update to Windows ... and you do not have the appropriate certificate in your Trusted Publishers ...
      (microsoft.public.windows.mediacenter)
    • Re: OWA certificate cannot be verified
      ... They need to install the certificate into the trusted root store. ... this adds the root CA certificate to the trusted root store. ... never deploy the actual PFX file of the Web server certificate. ...
      (microsoft.public.security)
    • Re: Programmatically installing Client Root Certificates
      ... You install root certificates into the "root" store. ... the certificate to the root store. ...
      (microsoft.public.platformsdk.security)
    • Bug in CertGetCertificateChain() on W2K (SP2) machines
      ... we have install our own W2K CA server root certificate and corresponding ... On W2K and WXP, when a user installs a Root cert, it goes into to the ... The user certificate on WXP is stored by default into the "Other ... ...no problem with the cert install wizard. ...
      (microsoft.public.win2000.security)