Re: OWA certificate cannot be verified
- From: RickyVene <RickyVene@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Sat, 22 Sep 2007 08:04:00 -0700
Mr. PKI,
So this is the safe way. Now I understand a little about extension PFX and
CER.
I deleted the PFX, as soon as I read this.
I guess, I have to read why verisign or thawte is trusted automatic on the
internet.
THANK YOU VERY MUCH,
Ricky
"Brian Komar" wrote:
Whoa!!!!.
You do not have to install the PFX file. Do NOT INCLUDE THE PRIVATE KEY IN
THE EXPORT!
(I am yelling for your safety, not at you).
You need to deploy the .cer file (base64 or DER encoded both work). They
need to install the certificate into the trusted root store.
The easiest way is to deploy it through AD (if they are machine members).
certutil -dspublish -f certfile.cer RootCA
(this must be run by a forest root domain admin or by an enterprise admin)
If they are not domain members, certutil in a batch file is probably your
best bet.
certutil -addstore root certfile.cer
(this must be run by a local Administrator on the client computer)
In both cases, this adds the root CA certificate to the trusted root store.
You could also write directions on how to add the certificate to the user's
trusted root store using the certmgr.msc console.
But, never deploy the actual PFX file of the Web server certificate. If I
got this certificate, I could become your Web server on any version of *any*
OS that has a web server service.
Brian
"RickyVene" <RickyVene@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:3E2BF73F-C630-4520-832C-8338A66CDB2B@xxxxxxxxxxxxxxxx
OK.
I remember now on how to trust the certificate. You need to install the
root ca on the computer you use. I use my company laptop and it does the
trust on the certificate of the OWA. And I remeber that root CA is being
pushed automatic on the member computer. Non member is not, you need to
do
it manually.
So I export the pfx root certificate on the non member computer accessing
outside and trust on the website is ok.
The question now, is this safe to install the root cert on a non member
computer? The validity of the root CA is five years with 2048 length.
Thanks,
Ricky
"RickyVene" wrote:
I have been using 2003 standard certificate for almost two years and I
have
renewed my OWA 2003 for the second year. I'm stiil having this problem
with
Certificate Error on IE7. The error is " this certificate cannot be
verified...".
Actually I don't mind this before because according to the webcast of Kai
if
you know your CA then you know it's legitimate cert. I even have this on
my
eTrust 8.x console on the web, I've called support and they don't have
solution to the untrusted certificate error. But the problem is my boss
and
my users. They're hard to please and give stupid feedback to me.
Can someone please give me some clue on how to make my certificate
legitimate to my users? Google/Live give so many links to these but not
one
of them give right correct direction or maybe I haven't read to good
solution
yet. Well I hope I will find something here.
Or do I need to go back to Verisign or Cybersource? Or even open source.
Thanks,
Ricky
- Follow-Ups:
- Re: OWA certificate cannot be verified
- From: Brian Komar
- Re: OWA certificate cannot be verified
- References:
- Re: OWA certificate cannot be verified
- From: Brian Komar
- Re: OWA certificate cannot be verified
- Prev by Date: Re: OWA certificate cannot be verified
- Next by Date: Re: OWA certificate cannot be verified
- Previous by thread: Re: OWA certificate cannot be verified
- Next by thread: Re: OWA certificate cannot be verified
- Index(es):
Relevant Pages
|
