|
|
You're in the
iis security
group:How to install website certificate as Trusted?
iis security:
Specifically I'm referring to SBS2K3, but should probably
be applicable to any other situation where a website is secured with a Makecert or is issued by a CA not already trusted. When a User views the suspect certificate, clicks on "View Certificate" and "Install Certificate," whether the certificate is installed in default stores or any specified store this has no effect... The next time the User views the website, the User will still be prompted because the website certificate still is not trusted. The only way I've been able to resolve this are two ways... - If the certificate is issued by my Domain CA, then I can make the machine a member of my Domain. - If the certificate is issued by a CA, I can export the CA's public certificate and install it into the Client as a trusted CA. So far, I have not found an easy and direct way for the client to install the certificate from the website. Any thoughts? TIA,
When you view the certificate details, you don't import the server
certificate. You need to view the details of the CA's root certificate, and then import that into the certificate store. You can see the CA's cert in the Certificate Heirachy tab (in Internet Explorer) Cheers Ken [quoted text, click to view] "Tony Su" <anonymous@discussions.microsoft.com> wrote in message : Specifically I'm referring to SBS2K3, but should probablynews:1c35301c45226$e9313e90$a401280a@phx.gbl... : be applicable to any other situation where a website is : secured with a Makecert or is issued by a CA not already : trusted. : : When a User views the suspect certificate, clicks on "View : Certificate" and "Install Certificate," whether the : certificate is installed in default stores or any : specified store this has no effect... The next time the : User views the website, the User will still be prompted : because the website certificate still is not trusted. : : The only way I've been able to resolve this are two ways... : - If the certificate is issued by my Domain CA, then I can : make the machine a member of my Domain. : - If the certificate is issued by a CA, I can export the : CA's public certificate and install it into the Client as : a trusted CA. : : So far, I have not found an easy and direct way for the : client to install the certificate from the website. : : Any thoughts? : TIA, : : Tony Su
Thanks for replying Ken,
But that is exactly what I mean... what you describe doesn't work on any website I've done that on. Choosing to allow the installer to choose the store, I can see the certificate appear in the "Intermediate Certification Authorities," but I don't see why that should be appropriate... because there is no Trusted Publisher installed yet that would be able to authenticated an Intermediate. And, therefor of course authentication will still fail. If I attempt to over-ride and place the website certificate in the Trusted Publishers store, it doesn't show up. Thoughts? Or, am I looking at this wrong? TIA, Tony Su [quoted text, click to view] >-----Original Message-----
>When you view the certificate details, you don't import the server >certificate. >You need to view the details of the CA's root certificate, and then import >that into the certificate store. > >You can see the CA's cert in the Certificate Heirachy tab (in Internet >Explorer) > >Cheers >Ken > >"Tony Su" <anonymous@discussions.microsoft.com> wrote in message >news:1c35301c45226$e9313e90$a401280a@phx.gbl... >: Specifically I'm referring to SBS2K3, but should probably >: be applicable to any other situation where a website is >: secured with a Makecert or is issued by a CA not already >: trusted. >: >: When a User views the suspect certificate, clicks on "View >: Certificate" and "Install Certificate," whether the >: certificate is installed in default stores or any >: specified store this has no effect... The next time the >: User views the website, the User will still be prompted >: because the website certificate still is not trusted. >: >: The only way I've been able to resolve this are two ways... >: - If the certificate is issued by my Domain CA, then I can >: make the machine a member of my Domain. >: - If the certificate is issued by a CA, I can export the >: CA's public certificate and install it into the Client as >: a trusted CA. >: >: So far, I have not found an easy and direct way for the >: client to install the certificate from the website. >: >: Any thoughts? >: TIA, >: >: Tony Su > > >.
Hi
: If I attempt to over-ride and place the website : certificate in the Trusted Publishers store, it doesn't : show up. which certificate are you attempting to place where? You don't want to be placing the website's server certificate into the store. You want to place the Certificate Authority's (CAs) root certificate into the store... Cheers Ken [quoted text, click to view] "Tony Su" <anonymous@discussions.microsoft.com> wrote in message : Thanks for replying Ken,news:1d6a201c453e0$d33aead0$a101280a@phx.gbl... : But that is exactly what I mean... what you describe : doesn't work on any website I've done that on. : : Choosing to allow the installer to choose the store, I can : see the certificate appear in the "Intermediate : Certification Authorities," but I don't see why that : should be appropriate... because there is no Trusted : Publisher installed yet that would be able to : authenticated an Intermediate. And, therefor of course : authentication will still fail. : : If I attempt to over-ride and place the website : certificate in the Trusted Publishers store, it doesn't : show up. : : Thoughts? : Or, am I looking at this wrong? : : TIA, : : Tony Su : : : : >-----Original Message----- : >When you view the certificate details, you don't import : the server : >certificate. : >You need to view the details of the CA's root : certificate, and then import : >that into the certificate store. : > : >You can see the CA's cert in the Certificate Heirachy tab : (in Internet : >Explorer) : > : >Cheers : >Ken : > : >"Tony Su" <anonymous@discussions.microsoft.com> wrote in : message : >news:1c35301c45226$e9313e90$a401280a@phx.gbl... : >: Specifically I'm referring to SBS2K3, but should : probably : >: be applicable to any other situation where a website is : >: secured with a Makecert or is issued by a CA not already : >: trusted. : >: : >: When a User views the suspect certificate, clicks : on "View : >: Certificate" and "Install Certificate," whether the : >: certificate is installed in default stores or any : >: specified store this has no effect... The next time the : >: User views the website, the User will still be prompted : >: because the website certificate still is not trusted. : >: : >: The only way I've been able to resolve this are two : ways... : >: - If the certificate is issued by my Domain CA, then I : can : >: make the machine a member of my Domain. : >: - If the certificate is issued by a CA, I can export the : >: CA's public certificate and install it into the Client : as : >: a trusted CA. : >: : >: So far, I have not found an easy and direct way for the : >: client to install the certificate from the website. : >: : >: Any thoughts? : >: TIA, : >: : >: Tony Su : > : > : >. : >
Yes,
I agree and now I think you're beginning to follow me... If a machine isn't pre-configured to trust the issueing CA of a website, then is there any way to configure trusting that particular website without going to the root CA to configure trusting the root CA? It seems to me illogical that there should be a button to enable installing the website certificate if it isn't sufficient, you have to trust the issueing CA <instead>. Summary: Webserver secured with cert from untrusted CA - Installing the cert from the website on the client is insufficient, no change - Installing the public cert from the untrusted CA enables the CA to be trusted and all certs that CA has issued. - If the client machine is added to the Windows Domain of a CA, then that CA will be considered trusted as well. Thanks for your time, Tony Su [quoted text, click to view] >-----Original Message-----
>Hi > >: If I attempt to over-ride and place the website >: certificate in the Trusted Publishers store, it doesn't >: show up. > >which certificate are you attempting to place where? You don't want to be >placing the website's server certificate into the store. You want to place >the Certificate Authority's (CAs) root certificate into the store... > >Cheers >Ken > > >"Tony Su" <anonymous@discussions.microsoft.com> wrote in message >news:1d6a201c453e0$d33aead0$a101280a@phx.gbl... >: Thanks for replying Ken, >: But that is exactly what I mean... what you describe >: doesn't work on any website I've done that on. >: >: Choosing to allow the installer to choose the store, I can >: see the certificate appear in the "Intermediate >: Certification Authorities," but I don't see why that >: should be appropriate... because there is no Trusted >: Publisher installed yet that would be able to >: authenticated an Intermediate. And, therefor of course >: authentication will still fail. >: >: If I attempt to over-ride and place the website >: certificate in the Trusted Publishers store, it doesn't >: show up. >: >: Thoughts? >: Or, am I looking at this wrong? >: >: TIA, >: >: Tony Su >: >: >: >: >-----Original Message----- >: >When you view the certificate details, you don't import >: the server >: >certificate. >: >You need to view the details of the CA's root >: certificate, and then import >: >that into the certificate store. >: > >: >You can see the CA's cert in the Certificate Heirachy tab >: (in Internet >: >Explorer) >: > >: >Cheers >: >Ken >: > >: >"Tony Su" <anonymous@discussions.microsoft.com> wrote in >: message >: >news:1c35301c45226$e9313e90$a401280a@phx.gbl... >: >: Specifically I'm referring to SBS2K3, but should >: probably >: >: be applicable to any other situation where a website is >: >: secured with a Makecert or is issued by a CA not already >: >: trusted. >: >: >: >: When a User views the suspect certificate, clicks >: on "View >: >: Certificate" and "Install Certificate," whether the >: >: certificate is installed in default stores or any >: >: specified store this has no effect... The next time the >: >: User views the website, the User will still be prompted >: >: because the website certificate still is not trusted. >: >: >: >: The only way I've been able to resolve this are two >: ways... >: >: - If the certificate is issued by my Domain CA, then I >: can >: >: make the machine a member of my Domain. >: >: - If the certificate is issued by a CA, I can export the >: >: CA's public certificate and install it into the Client >: as >: >: a trusted CA. >: >: >: >: So far, I have not found an easy and direct way for the >: >: client to install the certificate from the website. >: >: >: >: Any thoughts? >: >: TIA, >: >: >: >: Tony Su >: > >: > >: >. >: > > > >.
Hi,
You need to read up on Certificate trust heirachy. The certificate the webserver has is signed with the key of the CA. The CA's certificate verifies that the key used to sign the webserver's certificate is indeed the correct key. Unless you have that root certificate (or a designated Intermediate Certificate) in your trusted cert store, then the "Server" certificate can not be completely validated. With MS Certificate Services integrated into an AD environment, certs issued by Cert Services are automaticaly trusted by domain clients. But this requires the CA to be AD integrated -and- the clients to be AD integrated. Cheers Ken [quoted text, click to view] "Tony Su" <anonymous@discussions.microsoft.com> wrote in message : Yes,news:1ebf901c4570a$b4932c50$a301280a@phx.gbl... : I agree and now I think you're beginning to follow me... : : If a machine isn't pre-configured to trust the issueing CA : of a website, then is there any way to configure trusting : that particular website without going to the root CA to : configure trusting the root CA? : : It seems to me illogical that there should be a button to : enable installing the website certificate if it isn't : sufficient, you have to trust the issueing CA <instead>. : : Summary: : Webserver secured with cert from untrusted CA : - Installing the cert from the website on the client is : insufficient, no change : - Installing the public cert from the untrusted CA enables : the CA to be trusted and all certs that CA has issued. : - If the client machine is added to the Windows Domain of : a CA, then that CA will be considered trusted as well. : : Thanks for your time, : Tony Su : : : : : >-----Original Message----- : >Hi : > : >: If I attempt to over-ride and place the website : >: certificate in the Trusted Publishers store, it doesn't : >: show up. : > : >which certificate are you attempting to place where? You : don't want to be : >placing the website's server certificate into the store. : You want to place : >the Certificate Authority's (CAs) root certificate into : the store... : > : >Cheers : >Ken : > : > : >"Tony Su" <anonymous@discussions.microsoft.com> wrote in : message : >news:1d6a201c453e0$d33aead0$a101280a@phx.gbl... : >: Thanks for replying Ken, : >: But that is exactly what I mean... what you describe : >: doesn't work on any website I've done that on. : >: : >: Choosing to allow the installer to choose the store, I : can : >: see the certificate appear in the "Intermediate : >: Certification Authorities," but I don't see why that : >: should be appropriate... because there is no Trusted : >: Publisher installed yet that would be able to : >: authenticated an Intermediate. And, therefor of course : >: authentication will still fail. : >: : >: If I attempt to over-ride and place the website : >: certificate in the Trusted Publishers store, it doesn't : >: show up. : >: : >: Thoughts? : >: Or, am I looking at this wrong? : >: : >: TIA, : >: : >: Tony Su : >: : >: : >: : >: >-----Original Message----- : >: >When you view the certificate details, you don't import : >: the server : >: >certificate. : >: >You need to view the details of the CA's root : >: certificate, and then import : >: >that into the certificate store. : >: > : >: >You can see the CA's cert in the Certificate Heirachy : tab : >: (in Internet : >: >Explorer) : >: > : >: >Cheers : >: >Ken : >: > [quoted text, click to view] : >: >"Tony Su" <anonymous@discussions.microsoft.com> wrote : in: >: message : >: >news:1c35301c45226$e9313e90$a401280a@phx.gbl... : >: >: Specifically I'm referring to SBS2K3, but should : >: probably : >: >: be applicable to any other situation where a website : is : >: >: secured with a Makecert or is issued by a CA not : already : >: >: trusted. : >: >: : >: >: When a User views the suspect certificate, clicks : >: on "View : >: >: Certificate" and "Install Certificate," whether the : >: >: certificate is installed in default stores or any : >: >: specified store this has no effect... The next time : the : >: >: User views the website, the User will still be : prompted : >: >: because the website certificate still is not trusted. : >: >: : >: >: The only way I've been able to resolve this are two : >: ways... : >: >: - If the certificate is issued by my Domain CA, then : I : >: can : >: >: make the machine a member of my Domain. : >: >: - If the certificate is issued by a CA, I can export : the : >: >: CA's public certificate and install it into the : Client : >: as : >: >: a trusted CA. : >: >: : >: >: So far, I have not found an easy and direct way for : the : >: >: client to install the certificate from the website. : >: >: : >: >: Any thoughts? : >: >: TIA, : >: >: : >: >: Tony Su : >: > : >: > : >: >. : >: > : > : > : >. : >
Don't see what you're looking for? Try a search.
|
June 2003
July 2003
August 2003
September 2003
October 2003
November 2003
December 2003
January 2004
February 2004
March 2004
April 2004
May 2004
June 2004
July 2004
August 2004
September 2004
October 2004
November 2004
December 2004
January 2005
February 2005
March 2005
April 2005
May 2005
June 2005
July 2005
August 2005
September 2005
October 2005
November 2005
December 2005
January 2006
February 2006
March 2006
April 2006
May 2006
June 2006
July 2006
August 2006
September 2006
October 2006
November 2006
December 2006
January 2007
February 2007
March 2007
April 2007
May 2007
June 2007
July 2007
August 2007
September 2007
October 2007
November 2007
December 2007
January 2008
February 2008
March 2008
April 2008
May 2008
June 2008
| home · blog · groups | Questions? Comments? Contact the dn |