Re: How to automate this ... ?

From: David Wang [Msft] (someone_at_online.microsoft.com)
Date: 08/05/05


Date: Fri, 5 Aug 2005 02:20:47 -0700

Correct. It must be manual, or else it is a security vulnerability in the
browser. Servers cannot automatically change a trusted resource of the
client unless you established trust to that server (that's basically what
Domain membership and Group Policy is -- the server trusts the external
Domain Controller).

If the users are not controlled, your only options are to:
1. Make the users install your random certificate into their trusted root
(BIG RED FLAG -- no one should do this, but dumb users probably will)
2. Purchase a certificate from an established Certificate Registrar. They
already got their Root CA Certificate into the user's trusted root store.

Read the following blog entry for details as to why things are the way they
are:
http://blogs.msdn.com/david.wang/archive/2005/08/02/Free_SSL_on_IIS.aspx

-- 
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Steven Wong" <sazabi75@hotmail.com> wrote in message
news:eNaJfzUmFHA.1412@TK2MSFTNGP09.phx.gbl...
Hi,
Thanks for your reply..
No, there will be internet users connecting to this secure web site.
So, that means there must be some kind of user intervention to manually
make the IE to trust my own Microsoft CA ?
TIA
Steven
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:uWVGjaQmFHA.2080@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> Are these computers members of your domain? If yes you can use group
policy
> to determine which certificates clients will trust.
>
> -- 
> Mike
> Microsoft MVP - Windows Security
>
> "Steven Wong" <sazabi75@hotmail.com> wrote in message
> news:%23bj7Nx$lFHA.708@TK2MSFTNGP09.phx.gbl...
> > Hi,
> >
> > In IE, when I double click yellow pad-lock and click the install
> > certificate
> > button,
> > although it said successfully processed the certificate, but I still get
a
> > red cross
> > with my certificate icon ...
> >
> > Then I found this KB ...
> > http://support.microsoft.com/?id=297681
> >
> > and it successfully made my client's IE to trust my Microsoft CA ...
> >
> > But are there anyway to automate this process so my client
> > don't really need to access the
> > https://www.mydomain.com/rootinstall.asp
> > to make the IE to trust my MS CA ?
> >
> > TIA
> >
> > Steven
> >
> >
>
>


Relevant Pages

  • Re: [opensuse] Apache 2.4.6 on OpenSuse 13.1: ssl_error_rx_record_too_long and ERR_SSL_PROTOCOL_ERRO
    ... to the server's key and certificate, as well as to my rootCA ... The web server DOES start, ... virtual host that is supposed to be using SSL, ... # List the ciphers that the client is permitted to negotiate. ...
    (SuSE)
  • Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
    ... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: LDP client authentication fails
    ... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
    (microsoft.public.windows.server.active_directory)
  • Re: SSL & Man In the Middle Attack
    ... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
    (comp.security.misc)
  • Re: activesync issue
    ... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
    (microsoft.public.windows.server.sbs)