Re: SSL and certificates

From: Alun Jones [MS MVP] (alun_at_texis.com)
Date: 12/24/03

  • Next message: Alun Jones [MS MVP]: "Re: SSL problem using Macintosh browser" 
    Date: Wed, 24 Dec 2003 20:54:43 GMT

    In article <0f7f01c3be60$fe7193e0$a301280a@phx.gbl>, "Kevin"
    <anonymous@discussions.microsoft.com> wrote:
    >Are client certificates necessary for SSL or just server
    >certificates?

    Just a server certificate. However...

    >The Microsoft help for setting up SSL takes you through
    >creating a server root certificate and another server
    >certificate and then installing each on all of the
    >clients.

    The client needs to have some way to believe that the server's certificate
    is genuine. It does that either by trusting the server's certificate, or
    one of the certificates that were used to sign the server's certificate.

    This is where installing the certificates comes in - your client only trusts
    those certificates that it has been told to trust. Internet Explorer ships
    with a few certificates already described as "trusted" - these are generally
    root certification authorities, and IE will implicitly trust any server that
    presents a certificate signed by one of these Trusted Roots.

    To get your server certificate trusted by a client's installation of IE, you
    have to do one of the following:

    1. Get your certificate from a CA that is already a trusted root at the
    client's IE installation.
    2. Have the client install your server's certificate as trusted.
    3. Have the client install as trusted the certificate from the CA that
    issued your server's certificate.

    Alun.
    ~~~~

    [Please don't email posters, if a Usenet response is appropriate.] 

    -- 
Texas Imperial Software   | Find us at http://www.wftpd.com or email
1602 Harvest Moon Place   | alun@texis.com.
Cedar Park TX 78613-1419  | WFTPD, WFTPD Pro are Windows FTP servers.
Fax/Voice +1(512)258-9858 | Try our NEW client software, WFTPD Explorer.
  • Next message: Alun Jones [MS MVP]: "Re: SSL problem using Macintosh browser"

    Relevant Pages

    • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
      ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
      (microsoft.public.dotnet.framework.aspnet.security)
    • Re: LDP client authentication fails
      ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
      (microsoft.public.windows.server.active_directory)
    • Re: SSL & Man In the Middle Attack
      ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
      (comp.security.misc)
    • Re: activesync issue
      ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
      (microsoft.public.windows.server.sbs)
    • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
      ... order to detect we are connected to the wrong server (even though its SSL ... certificate is OK and valid by Verisign); we would need a client certificate. ... this can be detected by SSL/HTTPS client in ...
      (microsoft.public.dotnet.framework.aspnet.security)