Re: How to install website certificate as Trusted?

From: Tony Su (
Date: 06/20/04

Date: Sun, 20 Jun 2004 14:08:16 -0700

I agree and now I think you're beginning to follow me...

If a machine isn't pre-configured to trust the issueing CA
of a website, then is there any way to configure trusting
that particular website without going to the root CA to
configure trusting the root CA?

It seems to me illogical that there should be a button to
enable installing the website certificate if it isn't
sufficient, you have to trust the issueing CA <instead>.

Webserver secured with cert from untrusted CA
- Installing the cert from the website on the client is
insufficient, no change
- Installing the public cert from the untrusted CA enables
the CA to be trusted and all certs that CA has issued.
- If the client machine is added to the Windows Domain of
a CA, then that CA will be considered trusted as well.

Thanks for your time,
Tony Su

>-----Original Message-----
>: If I attempt to over-ride and place the website
>: certificate in the Trusted Publishers store, it doesn't
>: show up.
>which certificate are you attempting to place where? You
don't want to be
>placing the website's server certificate into the store.
You want to place
>the Certificate Authority's (CAs) root certificate into
the store...
>"Tony Su" <> wrote in
>: Thanks for replying Ken,
>: But that is exactly what I mean... what you describe
>: doesn't work on any website I've done that on.
>: Choosing to allow the installer to choose the store, I
>: see the certificate appear in the "Intermediate
>: Certification Authorities," but I don't see why that
>: should be appropriate... because there is no Trusted
>: Publisher installed yet that would be able to
>: authenticated an Intermediate. And, therefor of course
>: authentication will still fail.
>: If I attempt to over-ride and place the website
>: certificate in the Trusted Publishers store, it doesn't
>: show up.
>: Thoughts?
>: Or, am I looking at this wrong?
>: TIA,
>: Tony Su
>: >-----Original Message-----
>: >When you view the certificate details, you don't import
>: the server
>: >certificate.
>: >You need to view the details of the CA's root
>: certificate, and then import
>: >that into the certificate store.
>: >
>: >You can see the CA's cert in the Certificate Heirachy
>: (in Internet
>: >Explorer)
>: >
>: >Cheers
>: >Ken
>: >
>: >"Tony Su" <> wrote
>: message
>: >news:1c35301c45226$e9313e90$a401280a@phx.gbl...
>: >: Specifically I'm referring to SBS2K3, but should
>: probably
>: >: be applicable to any other situation where a website
>: >: secured with a Makecert or is issued by a CA not
>: >: trusted.
>: >:
>: >: When a User views the suspect certificate, clicks
>: on "View
>: >: Certificate" and "Install Certificate," whether the
>: >: certificate is installed in default stores or any
>: >: specified store this has no effect... The next time
>: >: User views the website, the User will still be
>: >: because the website certificate still is not trusted.
>: >:
>: >: The only way I've been able to resolve this are two
>: ways...
>: >: - If the certificate is issued by my Domain CA, then
>: can
>: >: make the machine a member of my Domain.
>: >: - If the certificate is issued by a CA, I can export
>: >: CA's public certificate and install it into the
>: as
>: >: a trusted CA.
>: >:
>: >: So far, I have not found an easy and direct way for
>: >: client to install the certificate from the website.
>: >:
>: >: Any thoughts?
>: >: TIA,
>: >:
>: >: Tony Su
>: >
>: >
>: >.
>: >