Re: Trusted CA question

From: Steven L Umbach (sumbach_at_N0spam.ameritech.net)
Date: 03/31/04 

Date: Wed, 31 Mar 2004 09:07:50 -0600

I suppose you could email the CA certificate [public key] to those who need
it after exporting it to a .cer file? Not an elegant solutution but it may
be something to look into. Clicking the .cer file should bring up the
certificate install wizard. --- Steve

"David Cross [MS]" <dcross@online.microsoft.com> wrote in message
news:OBVgRRyFEHA.2404@TK2MSFTNGP11.phx.gbl...
> I wish I could give you an easy answer for this one - there is no simple
> solution to deploy trusted roots outside of the default roots that are
> trusted in the operating system or those that you distribute through group
> policy in AD.
>
> --
>
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> http://support.microsoft.com
>
> "620" <no@no.no> wrote in message
> news:7LCdnaRCDKcsNvTd4p2dnA@speakeasy.net...
> > I'm new to this certificate game so bear with me here:
> >
> > I've established a windows domain, 'somedomain.com'. To this, I've
added
> an
> > IIS box and named it 'www'. The IIS box's fully qualified name is
> > 'www.somedomain.com' and it faces both the internet and intranet,
> > dual-nic'd. 'www.somedomain.com' is publically registered to the IIS
> box's
> > public IP on it's public-side nic, from where a company web site is
> served.
> >
> > I need secure communications on the IIS box over the net. Because the
> > external clients accessing the IIS box are stictly employees and
clients,
> I
> > don't really need a "trusted" verisign cert to assure anonymous
ecommerce
> > visitors of my authenticity, etc. My web visitors already "trust" me in
> > that regard. I just need SSL turned on to protect some data
transmissions
> > with people who already trust me, on a human level anyway. So I
installed
> > certificate services on the IIS box (at which point it issued it's own
> 'root
> > CA' cert to itself, or so I've managed to ascertain) and then browsed to
> my
> > own certsrv web service and, via that interface, issued myself a
> certificate
> > for conducting SSL web transactions. So now the IIS box has 2 certs,
one
> > for being the root and one for the site, and in the IIS manager I
attached
> > the SSL cert to the website and turned on SSL. So far, this all appears
> to
> > working as intended - well sort of.
> >
> > Initially, when an internal client accesses the website, there is a
> security
> > alert - the certificate's date is ok, and the name matches, but it's not
> > from a trusted root CA. Which makes sense, because 'www.somedomain.com'
> > isn't on IE's default list of trusted CA's. But that's OK, because I
> could
> > go into the advanced dialog of the alert message, view the certificate
> path,
> > and choose to install 'www.somedomain.com' root CA cert into the
client's
> > local store of trusted issuing CAs. Alert message solved, browser is
> happy
> > with my certs.
> >
> > From the internet, external testing is popping up the same message just
as
> > I'd expect. But! And finally we reach my problem - the certificate
path
> > only shows the site's SSL cert - the issuing CA cert is not there. The
> path
> > consists of 1 cert, not 2.
> >
> > My questions are:
> >
> > Why is the cert path "incomplete" when accessing the site externally
(i.e.
> > from the web). Is this a naming/scope issue?
> >
> > Is there a best practice to get my root CA cert installed on the web
> > clients? Preferably something a user could do, given some brief
> > instructions...
> >
> > TIA
> >
> >
> >
>
>

Relevant Pages

  • Re: Dummies Guide for RADIUS/Certs
    ... I have set up IAS. ... client computers impacts certificate enrollment. ... configure Group Policy for domain member wireless clients so ... Cert Templates that is now enrolled on the IAS server. ...
    (microsoft.public.internet.radius)
  • Re: Multiple vulnerabilites in vendor IKE implementations, including Cisco,
    ... > in a concentrator and configure the clients to only talk ... > to a server with that certificate. ... I've seen clients that support it, so I assume concentrators from the ... You _could_ dole out a single cert to all clients, ...
    (Bugtraq)
  • Re: certificate authority
    ... Should the Certificate Service be running? ... > Just FYI, in SBS2003, CEICW will auto generate a cert without CA. ... > (Assuming you setup the clients via the SBS client seutp wizard). ...
    (microsoft.public.windows.server.sbs)
  • Re: authentication (SRP*, DH, TLS)
    ... B masternode offers core services and every nodeconnects to ... C as long as all clients connect to the master node only ... Make a CA that issues itself a self-signed certificate (CA root ... Install the CA root cert on all nodes and on all clients. ...
    (sci.crypt)
  • Re: CertSrv Question
    ... The reason most likely is that the CA cert is still there in the NTAuth ... > After installing a Stand-alone CA on a server in the Active Directory, ... > it replicates a trusted root to all the clients in the network. ... How is it valid if the certificate is no longer existing? ...
    (microsoft.public.win2000.security)