Re: certificates and OWA

From: David Cross [MS] (dcross@online.microsoft.com)
Date: 10/26/02 

From: "David Cross [MS]" <dcross@online.microsoft.com>
Date: Sat, 26 Oct 2002 08:25:53 -0700

Have you installed the root certificate on the outslide client win98
machines?

I suspect that is the problem and not the CRL. 

--
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"John McCoy" <itsme109@hotmail.com> wrote in message
news:urju5jdgo9r27a@corp.supernews.com...
> Hi, this is the issue I am having. Internally all clients work very well.
> Outside it is saying the certificate is issued by a company I have not
> chosen to trust. In windows 98 it complains of the CRL. I published the
crl
> in the store. I install the certificate and even put it in the trusted
store
> and it isn't installed. When looking at the certificate it says it can't
be
> verified to a trusted CA so going backwards it is missing something.
>
> It seems to be the way I am installing the certificate on the web server.
Is
> there a good doc on the right way? That is one issue and perhaps the way I
> am setting up the CRL. I am very close here just need to fix these two
> things.
>
> Thanks
>
> John
>
> "David Cross [MS]" <dcross@online.microsoft.com> wrote in message
> news:uNryymCfCHA.2556@tkmsftngp08...
> > Is the root CA trusted on all the clients?  if the machines are not
> attached
> > to the domain or are Windows 9.x machines, you will need to have the
root
> CA
> > iinstalled/trusted on all clients that hit the OWA SSL web site.  IE
does
> > not check the CRL by default.
> >
> > --
> >
> >
> > David B. Cross [MS]
> >
> > --
> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> >
> > http://support.microsoft.com
> >
> > "John McCoy" <jmccoy@cmatech.com> wrote in message
> > news:Ox0c6N3eCHA.2636@tkmsftngp11...
> > > Thanks, the problem I think is that the client (OWA) can't access the
> CRL.
> > > From what I have read I believe I need to create a domain policy which
I
> > am
> > > trying to create one but when I open the store to digitally sign it
the
> > > store is empty.
> > >
> > > I have a root CA and a sub CA and am using AD. Shouldn't I be able to
> see
> > > all the certificates issued on both machines?
> > >
> > > Thanks
> > >
> > >
> > > "Chris Gilbert" <Chris.Gilbert@Consignia.com> wrote in message
> > > news:3db7b1ab@RGINF-S02.research-group.co.uk...
> > > >
> > > > John Mccoy wrote
> > > >
> > > > > When a user goes to the site https://mydomain/exchange they are
> > prompted
> > > > for
> > > > > the certificate. If I am running Win2K it says the certificate
> cannot
> > be
> > > > > verified to the certificate authority. I windows98 it says it
can't
> > find
> > > > or
> > > > > verify the certificate revocation list.
> > > >
> > > > For SSL to work, the client and the server must share a common root
> > > > of trust. This can acheived a number of ways. Your client and server
> > cert
> > > > could have been issued by the same authority; your client and server
> > > > certs could have been issued by different authorities but which
share
> a
> > > > trust relationship through cross-certification; You can accept the
> trust
> > > of
> > > > the server cert on connection; You can deploy the server cert issuer
> > root
> > > > CA cert in the client. It's probably the last option that you need
> here.
> > > >
> > > > CRL checking must be enabled in your email client. MS does not
deploy
> > > > with it active by default. Also, your client certificates must be
> > deployed
> > > > with an active and accessible CRL Distribution Point (CDP) value.
> > > >
> > > > Chris
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Newbie wants to learn about PKI Server 2003......
    ... 2003 PKI Certificate Security", and have been lurking here for a bit. ... We will implement a 2 tier heirarchy, with the Root CA being offline. ... All clients that attempt revocation checking will first attempt to retrieve the CRL from the ... level below a self-signed cert, so applications that are 3280 compliant would never check the ...
    (microsoft.public.windows.server.security)
  • Help PKI installation - lots of questions !
    ... One STAND ALONE ROOT CA called SACAMX00 (SA stand for Stand Alone, ... AMERICAS Sub & CA ASIA Sub ... Client use this to find Delta CRL ... publish my CRL again even if no certificate are revoked? ...
    (microsoft.public.security)
  • Re: Help PKI installation - lots of questions !
    ... One STAND ALONE ROOT CA called SACAMX00 (SA stand for Stand Alone, ... AMERICAS Sub & CA ASIA Sub ... Client use this to find Delta CRL ... publish my CRL again even if no certificate are revoked? ...
    (microsoft.public.security)
  • Re: certificates and OWA
    ... >> Outside it is saying the certificate is issued by a company I have not ... In windows 98 it complains of the CRL. ... I install the certificate and even put it in the trusted ... >>> Is the root CA trusted on all the clients? ...
    (microsoft.public.win2000.security)
  • Re: Signtool doesnt add entire chain when signing files
    ... you only need to ensure that the intermediate certificates are included in the signature so that the client can build a chain to the root. ... The root needs to be installed as a trusted root certificate on the client in order for the client to trust the certificate. ... Given that you don't have any intermediate certificates, it doesn't matter or not whether they are included in the signature so it should not matter if there is any difference between the wizard mode and the command line tool mode. ...
    (microsoft.public.platformsdk.security)