|
Home > Archive > IIS Server Security > December 2004 > Prompting for Certificate...
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Prompting for Certificate...
|
|
| Phil Strack 2004-12-09, 6:19 pm |
| Hi-
Never configured SSL on IIS 6.x before. I've set up a site and enabled SSL.
I have created a local cert authority on another internal server and have
installed the certificate on web server. (Servers are all Win 2003
Standard...clients are all XP SP1 & 2) SSL appears to work okay, when I hit
the site from a browser it requires https but it prompts to OK the
certificate every time on the client. Is there anyway to have it only prompt
the first time and trust the client for future visits to the site?
On the client I have followed the prompt to view the certificate and import
it locally (Which was successful) however, I am still prompted every I visit
the site.
Thanks in advance for any guidance regarding this problem.
-Phil
| |
| Miha Pihler 2004-12-10, 2:53 am |
| Hi Phill,
To avoid this the client would have to trust your CA server certificate. You
can instruct your user to import the CA certificate.
If you setup your own CA here is where you can download CA certificate:
Open Web Interface for your CA server and go to Download a CA certificate,
certificate chain or CRL. Here click on Download CA certificate. Save the
file and transfer it on the client (all your clients and servers that will
work with your Exchange server). Double click on it and follow the wizard.
Default values should be OK. Once you install it, all the certificates
issued on this CA will be trusted.
If this site will be only used inside domain, you can import CA certificate
to the clients using active directory.
Another option would be to buy the certificate (prices are usually about 150
USD or more per year) from trusted CA agency (e.g. Thawte or Verisign).
Mike
"Phil Strack" <philstrack@hotmail.com> wrote in message
news:eg8wWej3EHA.3316@tk2msftngp13.phx.gbl...
> Hi-
> Never configured SSL on IIS 6.x before. I've set up a site and enabled
> SSL.
> I have created a local cert authority on another internal server and have
> installed the certificate on web server. (Servers are all Win 2003
> Standard...clients are all XP SP1 & 2) SSL appears to work okay, when I
> hit
> the site from a browser it requires https but it prompts to OK the
> certificate every time on the client. Is there anyway to have it only
> prompt
> the first time and trust the client for future visits to the site?
>
> On the client I have followed the prompt to view the certificate and
> import
> it locally (Which was successful) however, I am still prompted every I
> visit
> the site.
>
> Thanks in advance for any guidance regarding this problem.
>
> -Phil
>
>
| |
| Phil Strack 2004-12-10, 7:54 am |
| Thanks Mike. I'll give that a try.
Cheers
-Phil
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:uFyeUAp3EHA.3908@TK2MSFTNGP12.phx.gbl...
Hi Phill,
To avoid this the client would have to trust your CA server certificate. You
can instruct your user to import the CA certificate.
If you setup your own CA here is where you can download CA certificate:
Open Web Interface for your CA server and go to Download a CA certificate,
certificate chain or CRL. Here click on Download CA certificate. Save the
file and transfer it on the client (all your clients and servers that will
work with your Exchange server). Double click on it and follow the wizard.
Default values should be OK. Once you install it, all the certificates
issued on this CA will be trusted.
If this site will be only used inside domain, you can import CA certificate
to the clients using active directory.
Another option would be to buy the certificate (prices are usually about 150
USD or more per year) from trusted CA agency (e.g. Thawte or Verisign).
Mike
"Phil Strack" <philstrack@hotmail.com> wrote in message
news:eg8wWej3EHA.3316@tk2msftngp13.phx.gbl...
> Hi-
> Never configured SSL on IIS 6.x before. I've set up a site and enabled
> SSL.
> I have created a local cert authority on another internal server and have
> installed the certificate on web server. (Servers are all Win 2003
> Standard...clients are all XP SP1 & 2) SSL appears to work okay, when I
> hit
> the site from a browser it requires https but it prompts to OK the
> certificate every time on the client. Is there anyway to have it only
> prompt
> the first time and trust the client for future visits to the site?
>
> On the client I have followed the prompt to view the certificate and
> import
> it locally (Which was successful) however, I am still prompted every I
> visit
> the site.
>
> Thanks in advance for any guidance regarding this problem.
>
> -Phil
>
>
| |
| Phil Strack 2004-12-13, 6:38 pm |
| Hi Mike-
I followed the steps you outlined below and I still am prompted with every
visit to the test site. I am using my own CA to do this and can see the
imported certificate in IE. Does it need to be in any specific container? It
is in the "Trusted Root certification Authorities"
I also took a look at the certificate and it appears to be OK, but there is
a warning on the security alert message box that reads "The name on the
security certificate is invalid or does not match the name of the site."
Thanks
-Phil
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:uFyeUAp3EHA.3908@TK2MSFTNGP12.phx.gbl...
Hi Phill,
To avoid this the client would have to trust your CA server certificate. You
can instruct your user to import the CA certificate.
If you setup your own CA here is where you can download CA certificate:
Open Web Interface for your CA server and go to Download a CA certificate,
certificate chain or CRL. Here click on Download CA certificate. Save the
file and transfer it on the client (all your clients and servers that will
work with your Exchange server). Double click on it and follow the wizard.
Default values should be OK. Once you install it, all the certificates
issued on this CA will be trusted.
If this site will be only used inside domain, you can import CA certificate
to the clients using active directory.
Another option would be to buy the certificate (prices are usually about 150
USD or more per year) from trusted CA agency (e.g. Thawte or Verisign).
Mike
"Phil Strack" <philstrack@hotmail.com> wrote in message
news:eg8wWej3EHA.3316@tk2msftngp13.phx.gbl...
> Hi-
> Never configured SSL on IIS 6.x before. I've set up a site and enabled
> SSL.
> I have created a local cert authority on another internal server and have
> installed the certificate on web server. (Servers are all Win 2003
> Standard...clients are all XP SP1 & 2) SSL appears to work okay, when I
> hit
> the site from a browser it requires https but it prompts to OK the
> certificate every time on the client. Is there anyway to have it only
> prompt
> the first time and trust the client for future visits to the site?
>
> On the client I have followed the prompt to view the certificate and
> import
> it locally (Which was successful) however, I am still prompted every I
> visit
> the site.
>
> Thanks in advance for any guidance regarding this problem.
>
> -Phil
>
>
| |
| Miha Pihler 2004-12-13, 6:38 pm |
| Phil,
You have to use same name in URL that you use to when you issued the
certificate.
If you enter in your URL www.site.com then your certificate must be
configured with same name and not just www (the default setting).
This is the name that must be the same
http://freeweb.siol.net/mpihler/issued_to.jpg
If you have the wrong name in the certificate, you will have to issue new
certificate to your IIS with correct setting. When you run the wizard to
create new request this is the setting to watch out for:
http://freeweb.siol.net/mpihler/site_name.jpg Name in the window must be the
same as you will use to access the site.
Mike
"Phil Strack" <philstrack@hotmail.com> wrote in message
news:%23ROCMpU4EHA.2568@TK2MSFTNGP10.phx.gbl...
> Hi Mike-
> I followed the steps you outlined below and I still am prompted with every
> visit to the test site. I am using my own CA to do this and can see the
> imported certificate in IE. Does it need to be in any specific container?
> It
> is in the "Trusted Root certification Authorities"
> I also took a look at the certificate and it appears to be OK, but there
> is
> a warning on the security alert message box that reads "The name on the
> security certificate is invalid or does not match the name of the site."
>
> Thanks
>
> -Phil
>
>
> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> news:uFyeUAp3EHA.3908@TK2MSFTNGP12.phx.gbl...
> Hi Phill,
>
> To avoid this the client would have to trust your CA server certificate.
> You
> can instruct your user to import the CA certificate.
>
> If you setup your own CA here is where you can download CA certificate:
>
> Open Web Interface for your CA server and go to Download a CA certificate,
> certificate chain or CRL. Here click on Download CA certificate. Save the
> file and transfer it on the client (all your clients and servers that will
> work with your Exchange server). Double click on it and follow the wizard.
> Default values should be OK. Once you install it, all the certificates
> issued on this CA will be trusted.
>
> If this site will be only used inside domain, you can import CA
> certificate
> to the clients using active directory.
>
> Another option would be to buy the certificate (prices are usually about
> 150
> USD or more per year) from trusted CA agency (e.g. Thawte or Verisign).
>
> Mike
>
> "Phil Strack" <philstrack@hotmail.com> wrote in message
> news:eg8wWej3EHA.3316@tk2msftngp13.phx.gbl...
>
>
>
| |
| Phil Strack 2004-12-15, 6:38 pm |
| Thanks Mike
"Miha Pihler" <mihap-news@atlantis.si> wrote in message
news:uss1D6U4EHA.2572@tk2msftngp13.phx.gbl...
Phil,
You have to use same name in URL that you use to when you issued the
certificate.
If you enter in your URL www.site.com then your certificate must be
configured with same name and not just www (the default setting).
This is the name that must be the same
http://freeweb.siol.net/mpihler/issued_to.jpg
If you have the wrong name in the certificate, you will have to issue new
certificate to your IIS with correct setting. When you run the wizard to
create new request this is the setting to watch out for:
http://freeweb.siol.net/mpihler/site_name.jpg Name in the window must be the
same as you will use to access the site.
Mike
"Phil Strack" <philstrack@hotmail.com> wrote in message
news:%23ROCMpU4EHA.2568@TK2MSFTNGP10.phx.gbl...
> Hi Mike-
> I followed the steps you outlined below and I still am prompted with every
> visit to the test site. I am using my own CA to do this and can see the
> imported certificate in IE. Does it need to be in any specific container?
> It
> is in the "Trusted Root certification Authorities"
> I also took a look at the certificate and it appears to be OK, but there
> is
> a warning on the security alert message box that reads "The name on the
> security certificate is invalid or does not match the name of the site."
>
> Thanks
>
> -Phil
>
>
> "Miha Pihler" <mihap-news@atlantis.si> wrote in message
> news:uFyeUAp3EHA.3908@TK2MSFTNGP12.phx.gbl...
> Hi Phill,
>
> To avoid this the client would have to trust your CA server certificate.
> You
> can instruct your user to import the CA certificate.
>
> If you setup your own CA here is where you can download CA certificate:
>
> Open Web Interface for your CA server and go to Download a CA certificate,
> certificate chain or CRL. Here click on Download CA certificate. Save the
> file and transfer it on the client (all your clients and servers that will
> work with your Exchange server). Double click on it and follow the wizard.
> Default values should be OK. Once you install it, all the certificates
> issued on this CA will be trusted.
>
> If this site will be only used inside domain, you can import CA
> certificate
> to the clients using active directory.
>
> Another option would be to buy the certificate (prices are usually about
> 150
> USD or more per year) from trusted CA agency (e.g. Thawte or Verisign).
>
> Mike
>
> "Phil Strack" <philstrack@hotmail.com> wrote in message
> news:eg8wWej3EHA.3316@tk2msftngp13.phx.gbl...
>
>
>
|
|
|
|
|