|
|
You're in the
iis security
group:SSL for the Internet with Enterprise Root CA?
iis security:
Everything is working fine and I wanted to enable SSL for certain webpages that will be available over the Internet. We have an Enterprise Root CA in our Domain, so I just went to the IIS server, went through the wizard and created the certificate for it, from our Enterprise Root CA. The problem is, internally it works fine but externally it takes about 30 seconds to load up the initial page. Of course, it says that it doesn't trust the Root CA, but this is expected. I have done some packet monitoring and it seems like the client is trying to directly talk to the Root CA to get it's info, which isn't possible since it's not publically available. Also, when you go to look at the certificate (once it does finally finish), the Certificate path doesn't show any Root CA. To summerize, is it possible to have a publically available Website secure with SSL from a certificate made from an Enterprise Root CA? Do I need to make another Stand Alone Root CA? Should I just go make a certificate with say, OpenSSL? Thanks!
Thanks for the tip, unfortunatly I have already searched
through the KB articles and ran across that one. What I need is a certificate that DOESN'T try and talk back to the Root CA, since it won't be available. How can I make one that is just self-signed? I looked at that OpenSSL project, but it was way to complicated to implement (probably because it appeared to be written with Unix in mind). The weird thing is, I did some searching around the web and found other sites with certificates which weren't trusted, and they came up quickly (of course, saying that I didn't trust the root, but it still worked), and the certificate didn't have any indication of who the root was, just "Organizational CA". [quoted text, click to view] >-----Original Message-----
>It need to connect to your CA for CRL and etc. >See if this help - >SSL (https) Connection Slow with One Certificate but Faster with Others >http://support.microsoft.com/?id=295070 >
I tried the IE change and that didn't seem to work, however I changed the Certificate to Self-Signed via the ResKit and that worked great, it still prompts that it's Untrusted, but it did it almost immediately now. Thanks
----- Bernard wrote: ---- I think this is client issue already.. since you using IIS 6.0, get the selfssl with reskit and see if u can create a ssl with issuing CA detail and if your turn of IE - advanced option check for revocation and warm if invalid cert. do you get faster response
It need to connect to your CA for CRL and etc.
See if this help - SSL (https) Connection Slow with One Certificate but Faster with Others http://support.microsoft.com/?id=295070 -- Regards, Bernard Cheah http://support.microsoft.com/ Please respond to newsgroups only ... [quoted text, click to view] "Jack Dobiash" <jack.dobiash@grandronde.org> wrote in message news:3bfe01c3fe61$a33331f0$a501280a@phx.gbl... > We have an IIS 6 server that we recently installed. > Everything is working fine and I wanted to enable SSL for > certain webpages that will be available over the > Internet. We have an Enterprise Root CA in our Domain, > so I just went to the IIS server, went through the wizard > and created the certificate for it, from our Enterprise > Root CA. The problem is, internally it works fine but > externally it takes about 30 seconds to load up the > initial page. Of course, it says that it doesn't trust > the Root CA, but this is expected. I have done some > packet monitoring and it seems like the client is trying > to directly talk to the Root CA to get it's info, which > isn't possible since it's not publically available. > Also, when you go to look at the certificate (once it > does finally finish), the Certificate path doesn't show > any Root CA. > > To summerize, is it possible to have a publically > available Website secure with SSL from a certificate made > from an Enterprise Root CA? Do I need to make another > Stand Alone Root CA? Should I just go make a > certificate with say, OpenSSL? > > Thanks! > > Jack Dobiash
I think this is client issue already...
since you using IIS 6.0, get the selfssl with reskit. and see if u can create a ssl with issuing CA detail. and if your turn of IE - advanced option - check for revocation and warm if invalid cert.. do you get faster response ? -- Regards, Bernard Cheah http://support.microsoft.com/ Please respond to newsgroups only ... [quoted text, click to view] "Jack Dobiash" <anonymous@discussions.microsoft.com> wrote in message news:461601c3ff56$948ced80$a001280a@phx.gbl... > Thanks for the tip, unfortunatly I have already searched > through the KB articles and ran across that one. What I > need is a certificate that DOESN'T try and talk back to > the Root CA, since it won't be available. How can I make > one that is just self-signed? I looked at that OpenSSL > project, but it was way to complicated to implement > (probably because it appeared to be written with Unix in > mind). The weird thing is, I did some searching around > the web and found other sites with certificates which > weren't trusted, and they came up quickly (of course, > saying that I didn't trust the root, but it still > worked), and the certificate didn't have any indication > of who the root was, just "Organizational CA". > > >-----Original Message----- > >It need to connect to your CA for CRL and etc. > >See if this help - > >SSL (https) Connection Slow with One Certificate but > Faster with Others > >http://support.microsoft.com/?id=295070 > > >
Hi,
I believe that IE, by default, is setup NOT to check for a CRL, and kind of feel that something else is going on here, unless you specifically enabled CRL checking on IE... Do you have the root CA certificate from your CA installed on your server in "Trusted Root Certification Authorities"? If you go to IIS Manager, right-click the website, then Properties, then Directory Security, and then click on the View Certificate button, how does the certificate look? When you click on "Certificate Path" tab, does it show your server certificate chained to the root CA certificate? Also, you might try downloading SSLDiag, run it, and see what it says about your website: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/webapp/iis/ssldiags.mspx Another possibility: You might be able to get your CA to create a server cert without a CDP (CRL Distribution Pointer). Then, even if IE is enabled for CRL checking, it wouldn't do it. BTW, you should also provide the root CA cert to your clients/users so they can install it on their workstations. Then they won't get that "untrusted" popup. Jim [quoted text, click to view] Jack Dobiash wrote:
> > I tried the IE change and that didn't seem to work, however I changed the Certificate to Self-Signed via the ResKit and that worked great, it still prompts that it's Untrusted, but it did it almost immediately now. Thanks! > > ----- Bernard wrote: ----- > > I think this is client issue already... > since you using IIS 6.0, get the selfssl with reskit. > and see if u can create a ssl with issuing CA detail. > > and if your turn of IE - advanced option - > check for revocation and warm if invalid cert.. > > do you get faster response ?
Mm... did you restart IE after you change the settings.
I'm just curious that is it still trying to connect the CA after you turn off all checking ? -- Regards, Bernard Cheah http://support.microsoft.com/ Please respond to newsgroups only ... [quoted text, click to view] "Jack Dobiash" <anonymous@discussions.microsoft.com> wrote in message Certificate to Self-Signed via the ResKit and that worked great, it stillnews:72C596DA-D713-410A-8CF6-77436CE9A1D4@microsoft.com... > I tried the IE change and that didn't seem to work, however I changed the prompts that it's Untrusted, but it did it almost immediately now. Thanks! [quoted text, click to view] > > ----- Bernard wrote: ----- > > I think this is client issue already... > since you using IIS 6.0, get the selfssl with reskit. > and see if u can create a ssl with issuing CA detail. > > and if your turn of IE - advanced option - > check for revocation and warm if invalid cert.. > > do you get faster response ? >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |