|
Home > Archive > IIS Server Security > November 2004 > Trust a cert and cert purpose
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Trust a cert and cert purpose
|
|
|
| Hi all,
Would like to ask about SSL certificate.
I have a Web Server installed with SSL certificate. The cert is signed by a
CA created by myself (through MS Cert Server). When I go to the web site by
https, a security alert prompt saying that the CA is non-trust and I need to
press "Yes" in order to access the web site.
Is there anyway that I can bypass the security alert and go to the website
directory ? I can accept one-time installation on workstation level. I know I
can achieve it by installing the Root trust for that CA so that the client
workstation will trust each cert issued by that CA as I've tried it
successfully. However, I would be more restrictive that I want to trust that
cert only. That is, I trust that CA issue the cert to my WebServer ONLY. That
is, after the on-time installation, I can access that website directory. When
there is another SSL website installed with a cert signed by my CA also, my
workstation will prompt the security alert.
Or in another word, is there any way to trust the cert instead of trusting
the CA ? I've tried to install the cert by click the "Insall certificate"
button, but it only install on the intermediate cert. Once I close the IE and
go to the website again, the security alert prompt. Any solution? Thanks.
Also, I have questions on setting the cert purpose:
When I select a cert at the IE -> Option -> Content -> Certificate ->
highlight any build in cert, the "certificate purpose" display at the bottom
can be many types: e.g. for email, for server authentication etc.
For those cert signed by the CA created by myself (e.g. MS Cert Server), the
"certificate purpose" is "All". How to configurate the certicate purpose
while generate the cert ?
Thanks.
| |
|
|
| Bernard 2004-11-10, 2:49 am |
| > Is there anyway that I can bypass the security alert and go to the website
> directory ?
Error Message: This Security Certificate Was Issued by a Company that You
Have Not Chosen to Trust
http://support.microsoft.com/?id=297681
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"jenny" <jenny@discussions.microsoft.com> wrote in message
news:B146E365-27FB-4759-90AB-D8A3CC3D2115@microsoft.com...
> Hi all,
>
> Would like to ask about SSL certificate.
>
> I have a Web Server installed with SSL certificate. The cert is signed by
a
> CA created by myself (through MS Cert Server). When I go to the web site
by
> https, a security alert prompt saying that the CA is non-trust and I need
to
> press "Yes" in order to access the web site.
>
> Is there anyway that I can bypass the security alert and go to the website
> directory ? I can accept one-time installation on workstation level. I
know I
> can achieve it by installing the Root trust for that CA so that the client
> workstation will trust each cert issued by that CA as I've tried it
> successfully. However, I would be more restrictive that I want to trust
that
> cert only. That is, I trust that CA issue the cert to my WebServer ONLY.
That
> is, after the on-time installation, I can access that website directory.
When
> there is another SSL website installed with a cert signed by my CA also,
my
> workstation will prompt the security alert.
> Or in another word, is there any way to trust the cert instead of trusting
> the CA ? I've tried to install the cert by click the "Insall certificate"
> button, but it only install on the intermediate cert. Once I close the IE
and
> go to the website again, the security alert prompt. Any solution? Thanks.
>
> Also, I have questions on setting the cert purpose:
> When I select a cert at the IE -> Option -> Content -> Certificate ->
> highlight any build in cert, the "certificate purpose" display at the
bottom
> can be many types: e.g. for email, for server authentication etc.
> For those cert signed by the CA created by myself (e.g. MS Cert Server),
the
> "certificate purpose" is "All". How to configurate the certicate purpose
> while generate the cert ?
> Thanks.
| |
|
|
| Yogita Manghnani [MSFT] 2004-11-10, 5:50 pm |
| Jenny,
The warning states that the certificate was issued by a CA you have chosen
not to trust. So to resolve it you have to trust the CA. There's no way you
can trust the CA based on the certs used on the sites. The link provided by
Bernard gives you one way of getting the root CA cert to the clients rather
than having them install the root CA cert from the warning dialog.
Good luck,
Yogita Manghnani
Microsoft Developer Support
Internet Information Server
****************************************
*****************************[vbcol=seag
reen]
account name for newsgroup participation only.<<
This posting is provided "AS IS" with no warranties, and confers no rights.
You assume all risk for your use.
© 2003 Microsoft Corporation. All rights reserved.
****************************************
*****************************
| |
|
| Thanks all first.
Would like to ask how about the certificate purpose ? How to generate a
cert with a specific purpose instead of <All> ? Thanks.
"Bernard" wrote:
>
> Error Message: This Security Certificate Was Issued by a Company that You
> Have Not Chosen to Trust
> http://support.microsoft.com/?id=297681
>
> --
> Regards,
> Bernard Cheah
> http://www.tryiis.com/
> http://support.microsoft.com/
> http://www.msmvps.com/bernard/
>
>
>
> "jenny" <jenny@discussions.microsoft.com> wrote in message
> news:B146E365-27FB-4759-90AB-D8A3CC3D2115@microsoft.com...
> a
> by
> to
> know I
> that
> That
> When
> my
> and
> bottom
> the
>
>
>
| |
| Miha Pihler 2004-11-11, 5:52 pm |
| I am not sure how your CA is installed (standalone or enterprise setup), but
which template did you use to issue your certificate? Did you chose
Webserver template?
Mike
"jenny" <jenny@discussions.microsoft.com> wrote in message
news:8B5B9274-2603-43E8-BDFE-9D8A228DB312@microsoft.com...[vbcol=seagreen]
> Thanks all first.
>
> Would like to ask how about the certificate purpose ? How to generate a
> cert with a specific purpose instead of <All> ? Thanks.
>
> "Bernard" wrote:
>
| |
| Bernard 2004-11-12, 2:48 am |
| what CA are you using ? what purpose you intended to have ?
server authentication, client cert ?
--
Regards,
Bernard Cheah
http://www.tryiis.com/
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"jenny" <jenny@discussions.microsoft.com> wrote in message
news:8B5B9274-2603-43E8-BDFE-9D8A228DB312@microsoft.com...[vbcol=seagreen]
> Thanks all first.
>
> Would like to ask how about the certificate purpose ? How to generate a
> cert with a specific purpose instead of <All> ? Thanks.
>
> "Bernard" wrote:
>
website[vbcol=seagreen]
You[vbcol=seagreen]
by[vbcol=seagreen]
site[vbcol=seagreen]
need[vbcol=seagreen]
website[vbcol=seagreen]
client[vbcol=seagreen]
trust[vbcol=seagreen]
ONLY.[vbcol=seagreen]
directory.[vbcol=seagreen]
also,[vbcol=seagreen]
trusting[vbcol=seagreen]
certificate"[vbcol=seagreen]
IE[vbcol=seagreen]
Thanks.[vbcol=seagreen]
Server),[vbcol=seagreen]
purpose[vbcol=seagreen]
|
|
|
|
|