Re: OWA certificate cannot be verified

You do not have to install the PFX file. Do NOT INCLUDE THE PRIVATE KEY IN THE EXPORT!
(I am yelling for your safety, not at you).

You need to deploy the .cer file (base64 or DER encoded both work). They need to install the certificate into the trusted root store.
The easiest way is to deploy it through AD (if they are machine members).

certutil -dspublish -f certfile.cer RootCA
(this must be run by a forest root domain admin or by an enterprise admin)

If they are not domain members, certutil in a batch file is probably your best bet.
certutil -addstore root certfile.cer
(this must be run by a local Administrator on the client computer)

In both cases, this adds the root CA certificate to the trusted root store.

You could also write directions on how to add the certificate to the user's trusted root store using the certmgr.msc console.

But, never deploy the actual PFX file of the Web server certificate. If I got this certificate, I could become your Web server on any version of *any* OS that has a web server service.

"RickyVene" <RickyVene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:3E2BF73F-C630-4520-832C-8338A66CDB2B@xxxxxxxxxxxxxxxx

I remember now on how to trust the certificate. You need to install the
root ca on the computer you use. I use my company laptop and it does the
trust on the certificate of the OWA. And I remeber that root CA is being
pushed automatic on the member computer. Non member is not, you need to do
it manually.

So I export the pfx root certificate on the non member computer accessing
outside and trust on the website is ok.

The question now, is this safe to install the root cert on a non member
computer? The validity of the root CA is five years with 2048 length.


"RickyVene" wrote:

I have been using 2003 standard certificate for almost two years and I have
renewed my OWA 2003 for the second year. I'm stiil having this problem with
Certificate Error on IE7. The error is " this certificate cannot be

Actually I don't mind this before because according to the webcast of Kai if
you know your CA then you know it's legitimate cert. I even have this on my
eTrust 8.x console on the web, I've called support and they don't have
solution to the untrusted certificate error. But the problem is my boss and
my users. They're hard to please and give stupid feedback to me.

Can someone please give me some clue on how to make my certificate
legitimate to my users? Google/Live give so many links to these but not one
of them give right correct direction or maybe I haven't read to good solution
yet. Well I hope I will find something here.

Or do I need to go back to Verisign or Cybersource? Or even open source.