RE: CA-SSL in IIS

• Previous message: RICH, ADAM (SBCSI): "RE: Internet explorer history viewer"
• In reply to: Benjamin Meade: "RE: CA-SSL in IIS"
• Next in thread: Chris Lynch: "RE: CA-SSL in IIS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: <ben@lanwest.com.au>, <focus-ms@securityfocus.com>
Date: Wed, 16 Jul 2003 16:38:53 +0100

You need to install the root CA certificate (generate this from the CA
service) into the trusted root-authority certificate store. It sounds to me
like you've installed the wrong certificate - without trusting the root CA,
your browswer will pop up a message each time you try to view pages over the
SSL connection.

Regards
Lee

-- 
Lee Evans
Vital Online Ltd
> -----Original Message-----
> From: Benjamin Meade [mailto:ben@lanwest.com.au] 
> Sent: 16 July 2003 02:25
> To: focus-ms@securityfocus.com
> Subject: RE: CA-SSL in IIS
> 
> 
> 
> OK, I got the certificate installed, but for some reason, 
> most browsers will not install the certificate. Opera won't 
> even try, and IE says it installs, and yet asks if you want 
> to trust this server the next time I go there. Mozilla works 
> fine. I have a feeling that it is because the the CA's root 
> certificate is not available from the web. Am I on the right 
> track? If so, how do I fix it? Can I simply register the CA 
> on the webserver, so when the client goes to install the 
> certificate, it grabs the CA's as well, or do I have to get 
> them to download it seperately? 
> 
> Thanks,
> 
> Benjamin Meade
> System Administrator
> LanWest Pty Ltd
> 
> 
> -----Original Message-----
> From: CORREIA, PATRICK [mailto:pcorreia@cha-llp.com] 
> Sent: Wednesday, 16 July 2003 12:10 AM
> To: 'Ed Sunder'; focus-ms@securityfocus.com
> Subject: RE: CA-SSL in IIS
> 
> 
> There is a concept involved here of a "chain of trust".  When 
> Verisign signs your SSL certificate, they are giving their 
> promise that they trust that you are who you say you are.  
> When Joe User comes to your site, he has to decide if he 
> trusts Verisign to make that decision.  The chain can 
> actually be much longer through the use of intermediate 
> certification authorities.  A user can "install" a 
> certificate as a trusted root, meaning they trust the holder 
> of that certificate to sign other certificates.  This is the 
> benefit of paying a third-party CA -- their root certificate 
> is already trusted by a default install of most browsers, 
> including Internet Explorer.
> 
> In terms of the public web, if you sign certificates with 
> your own CA, the certification chain will end with the 
> certificate of your CA, which will not be trusted by most 
> clients.  So when they visit your web site, they will see an 
> error message that the site is trying to establish an SSL 
> connection but the identity of the server could not be 
> positively established.  This will probably scare people, 
> even though the encryption will still work to the fullest 
> extent.  In a controlled environment, you could install the 
> certificate of the CA as trusted on all the client machines 
> and you would have no problems at all.
> 
> --
> Patrick Correia, Web Designer
> Clough, Harbour & Associates LLP
> III Winners Circle 
> P.O. Box 5269 
> Albany, New York 12205-0269
> http://www.cha-llp.com
> 
> 
> -----Original Message-----
> From: Ed Sunder [mailto:edsunder@threehd.com] 
> Sent: Tuesday, July 15, 2003 10:50 AM
> To: focus-ms@securityfocus.com
> Subject: RE: CA-SSL in IIS
> 
> What drawbacks are there in becoming your own certificate 
> service? Versus one of the major SSL services? Other than 
> that the source of the certificate (if the user looked it up) 
> would not be a commercially known provider and you couldn't 
> participate in any of the major provider's ever so valuable 
> certificate programs.
> 
> Ed Sunder
> Three HD
> 
> 
> 
> 
> 
> --------------------------------------------------------------
> ----------
> -----
> --------------------------------------------------------------
> ----------
> ------
> 
> 
> --------------------------------------------------------------
> ---------------
> --------------------------------------------------------------
> ----------------
> 
> 
-----------------------------------------------------------------------------
------------------------------------------------------------------------------

• Previous message: RICH, ADAM (SBCSI): "RE: Internet explorer history viewer"
• In reply to: Benjamin Meade: "RE: CA-SSL in IIS"
• Next in thread: Chris Lynch: "RE: CA-SSL in IIS"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]