Re: Trusting Certs from Non Trusted root

TrevorJ <TrevorJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
I suspect that it's a cost thing, although I suspect the budget
should run to a 'proper' certificate. I'll have another word with the
IT people about it as it obviously affects all who try to use our
school 'remote network' facility and getting it sorted would be a
'good thing'.
In the mean time, is what I am after possible? and if so, how can I
do it?


I haven't tried this, as I am not yet using Vista *or* IE7....but check out
http://msmvps.com/blogs/spywaresucks/archive/2006/01/31/82198.aspx


Regards Trevor

"Lanwench [MVP - Exchange]" wrote:

TrevorJ <TrevorJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
PS the site that I am trying to trust is
https://24hrschool.bexhillhigh.e-sussex.sch.uk/

Looks like they created their own SSL certificate (for free). If
they were to instead purchase a third party SSL certificate from one
of the root / trusted providers, it's highly unlikely that anyone
would be getting this message.

Although I have the utmost respect for Mr. Pidgorny, I can't agree
with the blanket statement that "...the IT people are very
unprofessional" with so little background knowlege. To give them
the benefit of the doubt, perhaps they've been given a shoestring
budget and/or have technologically-challenged management to deal
with - either might explain why they went with the "roll your own"
route.

The fact that you're using Vista/IE7 means that your computer is
going to complain a lot more about this than one running IE6, in
which case it's simple to click & install *once* so one is never
bothered again.

However, it's true that for anything other than a small/home office,
it's better not to use a a self-signed cert. Verisign, Thawte,
Geotrust, are some of the big names - Godaddy is a smaller vendor
that may work for most people/devices/computers.



Trevor

"TrevorJ" wrote:

Thanks to you both for the info. Unfortunately, I'm not too much up
in this certificate thing and wonder if one of you could help me
further, as I don't fully understand what exactly I have to do. If
You can help me on this one, I'll write a little 'how to do it' and
give the instructions to any one else that's P'd off about it.
If it makes any difference, I am running XP Pro SP2 on my tower and
Vista Home Premium on my laptop, both with IE7. All patches up to
date. @Paul.
I like your sig block sentiments, but I suspect that quite a few
arguments an flaming incidents have been prevented by their use :-)
Trevor



"S. Pidgorny <MVP>" wrote:

You can extract the root by analysing the certificate properties
and add it to the trusted root store...

The IT people are very unprofessional. It's one click too much.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *


"TrevorJ" <TrevorJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E0796974-E658-4E08-9962-B1AF529DBC19@xxxxxxxxxxxxxxxx
Thanks for the reply.
I have tried talking to our IT people, but their response is
'It's only one
more click'. I (temporarily) tried unchecking the IE Warn
about.... but that
didn't solve the problem.
You would have thought that you could 'import' a certificate
from a trusted
site, even if it was not strictly valid.
Thanks again, I suppose that I will have to put up with the extra
click.

Trevor


"S. Pidgorny <MVP>" wrote:

In IE security options, there's one which is to "Warn about
invalid site certificates". You cannot disable the warning for a
single site though.

I suggest looking into the root issue and making the root which
is always used by your infrastructure trusted. Make sure you
know why exactly you get
the warning.

--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-

* http://sl.mvps.org * http://msmvps.com/blogs/sp *

"TrevorJ" <TrevorJ@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BAB98587-F964-4D2F-B53A-5301B017E6E9@xxxxxxxxxxxxxxxx
I work for a school which has internet access to the school
network via a
https address. When connecting IE produces the following
message: "The security certificate presented by this website
was not issued by a trusted
certificate authority." Although the certificate cannot be
traced back, I
would like to avoid this message every time I log on. I have
tried importing
the certificate and placing he site into my 'trusted sites'
area, but to
no
avail. Is there a way of achieving what I want to do?
TIA. Trevor



.

Relevant Pages

  • Re: Isolation of the Root CA
    ... A lot has to do with the complexity of your network and your security needs. ... Certificate Authorities with maybe six or eight issuing CA's for various ... > One major thing I can't seem to grasp is the installation of the Root CA. ...
    (microsoft.public.win2000.security)
  • Re: Accessing website with Certificate
    ... The client needs to have the CA root cert. ... This Security Certificate Was Issued by a Company that You ... "The security cerificate issued by a company you have not chosen to trust. ...
    (microsoft.public.inetserver.iis.security)
  • Re: How to revoke the root CA certificate ?
    ... regarding root CA physical security. ... you must remove the certificate from all computer's ... But what certificate is used to sign the CRL... ...
    (microsoft.public.windows.server.security)
  • Re: Trusting Certs from Non Trusted root
    ... TrevorJ wrote: ... Looks like they created their own SSL certificate. ... and add it to the trusted root store... ...
    (microsoft.public.security)
  • Re: Trusting Certs from Non Trusted root
    ... certificate thing and wonder if one of you could help me further, ... Trevor ... Svyatoslav Pidgorny, MS MVP - Security, MCSE ... I suggest looking into the root issue and making the root which is always ...
    (microsoft.public.security)