Re: Trusted CA question
From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 03/31/04
- Next message: anonymous_at_discussions.microsoft.com: "Legit files?"
- Previous message: Chriss3: "Re: Changing local security policy via script or command line."
- In reply to: 620: "Trusted CA question"
- Next in thread: Steven L Umbach: "Re: Trusted CA question"
- Reply: Steven L Umbach: "Re: Trusted CA question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 31 Mar 2004 05:30:13 -0800
I wish I could give you an easy answer for this one - there is no simple
solution to deploy trusted roots outside of the default roots that are
trusted in the operating system or those that you distribute through group
policy in AD.
-- David B. Cross [MS] -- This posting is provided "AS IS" with no warranties, and confers no rights. http://support.microsoft.com "620" <no@no.no> wrote in message news:7LCdnaRCDKcsNvTd4p2dnA@speakeasy.net... > I'm new to this certificate game so bear with me here: > > I've established a windows domain, 'somedomain.com'. To this, I've added an > IIS box and named it 'www'. The IIS box's fully qualified name is > 'www.somedomain.com' and it faces both the internet and intranet, > dual-nic'd. 'www.somedomain.com' is publically registered to the IIS box's > public IP on it's public-side nic, from where a company web site is served. > > I need secure communications on the IIS box over the net. Because the > external clients accessing the IIS box are stictly employees and clients, I > don't really need a "trusted" verisign cert to assure anonymous ecommerce > visitors of my authenticity, etc. My web visitors already "trust" me in > that regard. I just need SSL turned on to protect some data transmissions > with people who already trust me, on a human level anyway. So I installed > certificate services on the IIS box (at which point it issued it's own 'root > CA' cert to itself, or so I've managed to ascertain) and then browsed to my > own certsrv web service and, via that interface, issued myself a certificate > for conducting SSL web transactions. So now the IIS box has 2 certs, one > for being the root and one for the site, and in the IIS manager I attached > the SSL cert to the website and turned on SSL. So far, this all appears to > working as intended - well sort of. > > Initially, when an internal client accesses the website, there is a security > alert - the certificate's date is ok, and the name matches, but it's not > from a trusted root CA. Which makes sense, because 'www.somedomain.com' > isn't on IE's default list of trusted CA's. But that's OK, because I could > go into the advanced dialog of the alert message, view the certificate path, > and choose to install 'www.somedomain.com' root CA cert into the client's > local store of trusted issuing CAs. Alert message solved, browser is happy > with my certs. > > From the internet, external testing is popping up the same message just as > I'd expect. But! And finally we reach my problem - the certificate path > only shows the site's SSL cert - the issuing CA cert is not there. The path > consists of 1 cert, not 2. > > My questions are: > > Why is the cert path "incomplete" when accessing the site externally (i.e. > from the web). Is this a naming/scope issue? > > Is there a best practice to get my root CA cert installed on the web > clients? Preferably something a user could do, given some brief > instructions... > > TIA > > >
- Next message: anonymous_at_discussions.microsoft.com: "Legit files?"
- Previous message: Chriss3: "Re: Changing local security policy via script or command line."
- In reply to: 620: "Trusted CA question"
- Next in thread: Steven L Umbach: "Re: Trusted CA question"
- Reply: Steven L Umbach: "Re: Trusted CA question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
