Re: OWA certificate cannot be verified

You do not have to install the PFX file. Do NOT INCLUDE THE PRIVATE KEY IN THE EXPORT!
(I am yelling for your safety, not at you).

You need to deploy the .cer file (base64 or DER encoded both work). They need to install the certificate into the trusted root store.
The easiest way is to deploy it through AD (if they are machine members).

certutil -dspublish -f certfile.cer RootCA
(this must be run by a forest root domain admin or by an enterprise admin)

If they are not domain members, certutil in a batch file is probably your best bet.
certutil -addstore root certfile.cer
(this must be run by a local Administrator on the client computer)

In both cases, this adds the root CA certificate to the trusted root store.

You could also write directions on how to add the certificate to the user's trusted root store using the certmgr.msc console.

But, never deploy the actual PFX file of the Web server certificate. If I got this certificate, I could become your Web server on any version of *any* OS that has a web server service.

"RickyVene" <RickyVene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:3E2BF73F-C630-4520-832C-8338A66CDB2B@xxxxxxxxxxxxxxxx

I remember now on how to trust the certificate. You need to install the
root ca on the computer you use. I use my company laptop and it does the
trust on the certificate of the OWA. And I remeber that root CA is being
pushed automatic on the member computer. Non member is not, you need to do
it manually.

So I export the pfx root certificate on the non member computer accessing
outside and trust on the website is ok.

The question now, is this safe to install the root cert on a non member
computer? The validity of the root CA is five years with 2048 length.


"RickyVene" wrote:

I have been using 2003 standard certificate for almost two years and I have
renewed my OWA 2003 for the second year. I'm stiil having this problem with
Certificate Error on IE7. The error is " this certificate cannot be

Actually I don't mind this before because according to the webcast of Kai if
you know your CA then you know it's legitimate cert. I even have this on my
eTrust 8.x console on the web, I've called support and they don't have
solution to the untrusted certificate error. But the problem is my boss and
my users. They're hard to please and give stupid feedback to me.

Can someone please give me some clue on how to make my certificate
legitimate to my users? Google/Live give so many links to these but not one
of them give right correct direction or maybe I haven't read to good solution
yet. Well I hope I will find something here.

Or do I need to go back to Verisign or Cybersource? Or even open source.



Relevant Pages

  • Re: Install SSL Cert - NO KEY Manger in IIS 5
    ... Select Local Computer on the next screen, ... Click next, browse to the PFX file, select Next ... Choose ASSIGN a certificate already on the server...... ... take this server offline and install the the *.KEY file on ...
  • Re: Programmatically installing Client Root Certificates
    ... You install root certificates into the "root" store. ... the certificate to the root store. ...
  • Bug in CertGetCertificateChain() on W2K (SP2) machines
    ... we have install our own W2K CA server root certificate and corresponding ... On W2K and WXP, when a user installs a Root cert, it goes into to the ... The user certificate on WXP is stored by default into the "Other ... problem with the cert install wizard. ...
  • Problem installing Root Certificates
    ... I just got an o2 atom however I can't get it to install a root ... install root certificates in Windows Mobile 5.0 pocket pc phone edition? ... To install the root certificate on your Windows Mobile 5 device: ...
  • Re: CertSrv Question
    ... In my case as posted earlier I didn't install a stand alone CA, ... In effect I want to revert everything on the domain to just before the root ... it replicated a certificate to the ... >>>The reason most likely is that the CA cert is still there in the NTAuth ...