Re: How to automate this ... ?

From: David Wang [Msft] (
Date: 08/05/05

Date: Fri, 5 Aug 2005 02:20:47 -0700

Correct. It must be manual, or else it is a security vulnerability in the
browser. Servers cannot automatically change a trusted resource of the
client unless you established trust to that server (that's basically what
Domain membership and Group Policy is -- the server trusts the external
Domain Controller).

If the users are not controlled, your only options are to:
1. Make the users install your random certificate into their trusted root
(BIG RED FLAG -- no one should do this, but dumb users probably will)
2. Purchase a certificate from an established Certificate Registrar. They
already got their Root CA Certificate into the user's trusted root store.

Read the following blog entry for details as to why things are the way they

This posting is provided "AS IS" with no warranties, and confers no rights.
"Steven Wong" <> wrote in message
Thanks for your reply..
No, there will be internet users connecting to this secure web site.
So, that means there must be some kind of user intervention to manually
make the IE to trust my own Microsoft CA ?
"Miha Pihler [MVP]" <> wrote in message
> Hi,
> Are these computers members of your domain? If yes you can use group
> to determine which certificates clients will trust.
> -- 
> Mike
> Microsoft MVP - Windows Security
> "Steven Wong" <> wrote in message
> news:%23bj7Nx$lFHA.708@TK2MSFTNGP09.phx.gbl...
> > Hi,
> >
> > In IE, when I double click yellow pad-lock and click the install
> > certificate
> > button,
> > although it said successfully processed the certificate, but I still get
> > red cross
> > with my certificate icon ...
> >
> > Then I found this KB ...
> >
> >
> > and it successfully made my client's IE to trust my Microsoft CA ...
> >
> > But are there anyway to automate this process so my client
> > don't really need to access the
> >
> > to make the IE to trust my MS CA ?
> >
> > TIA
> >
> > Steven
> >
> >

Relevant Pages

  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... order to detect we are connected to the wrong server (even though its SSL ... certificate is OK and valid by Verisign); we would need a client certificate. ... this can be detected by SSL/HTTPS client in ...