|
Home > Archive > IIS Server Security > March 2004 > How to get my CA to be trusted by external clients?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to get my CA to be trusted by external clients?
|
|
|
| I have an IIS box (.net 2003 iis 6) that issued it's own cert for the
purposes of SSL on a website it serves. The IIS box is dual-nic'd and acts
as a router/NAT for a private network. For the sake of discussion, all
clients use IE 6.
External clients from the internet, when visiting the website, receive a
security alert regarding the issuing CA - while the certificate for the site
is valid, it is not from a trusted issuing/root CA. Understandable, as my
CA is not on IE's default list of trusted CA's. However, within the dialog
avialable in the alert message (when you hit details, or advanced, or...
whatever that button is) the ability to traverse up the cert issuing
heiarchy isn't there - only the site's certificate is available to install,
and so there's no way for the client to install my CA as a trusted CA.
Internal clients from the intranet, when visiting the website, receive the
same message - but when they go into the dialog of the alert message, they
can see and install my CA as a trusted CA - which in turn solves the alert
message and they don't see it anymore, becuase my CA is now trusted. I'd
like my external internet clients to have this option, just as the intranet
clients do - that way I can instruct them on installing my CA as trusted to
resolve the alert message. At this point I assume this is some sort of name
resolution / scope issue of some kind, but I'm not sure how to solve it.
The issuing CA of the certificate is www.mydomain.com. CN=www CN=mydomain
CN=com. Why is it that the external internet clients can resolve and visit
www.mydomain.com yet can't install this as a trusted CA? The windows name
of the IIS box is 'www' and it is part of the windows domain mydomain.com,
so it's fully qualified name is www.mydomain.dom. I did that naming on
purpose in an attempt to make the root CA visible externally, but it didn't
work. Is this just a naming logistics issue, or am I way off base here?
| |
| Bernard 2004-03-30, 4:34 am |
| Interesting... now, can I access the site ? I want to see how it end up.
if it resolve to www.mydomain.com, it will actually query the CRL list
or CA cert to validate the cert and etc.
So when www.mydomain.com does not have anything at all, you
get different 'behavior'.
it seems to me that it should work like local clients. as you will
just say yes and install the cert.. but somehow... it's not.
--
Regards,
Bernard Cheah
http://support.microsoft.com/
http://www.msmvps.com/bernard/
"620" <no@no.no> wrote in message
news:SPKdnV8LjpHTw_XdRVn-hw@speakeasy.net...
> I have an IIS box (.net 2003 iis 6) that issued it's own cert for the
> purposes of SSL on a website it serves. The IIS box is dual-nic'd and
acts
> as a router/NAT for a private network. For the sake of discussion, all
> clients use IE 6.
>
> External clients from the internet, when visiting the website, receive a
> security alert regarding the issuing CA - while the certificate for the
site
> is valid, it is not from a trusted issuing/root CA. Understandable, as my
> CA is not on IE's default list of trusted CA's. However, within the
dialog
> avialable in the alert message (when you hit details, or advanced, or...
> whatever that button is) the ability to traverse up the cert issuing
> heiarchy isn't there - only the site's certificate is available to
install,
> and so there's no way for the client to install my CA as a trusted CA.
>
> Internal clients from the intranet, when visiting the website, receive the
> same message - but when they go into the dialog of the alert message, they
> can see and install my CA as a trusted CA - which in turn solves the alert
> message and they don't see it anymore, becuase my CA is now trusted. I'd
> like my external internet clients to have this option, just as the
intranet
> clients do - that way I can instruct them on installing my CA as trusted
to
> resolve the alert message. At this point I assume this is some sort of
name
> resolution / scope issue of some kind, but I'm not sure how to solve it.
>
> The issuing CA of the certificate is www.mydomain.com. CN=www CN=mydomain
> CN=com. Why is it that the external internet clients can resolve and
visit
> www.mydomain.com yet can't install this as a trusted CA? The windows name
> of the IIS box is 'www' and it is part of the windows domain mydomain.com,
> so it's fully qualified name is www.mydomain.dom. I did that naming on
> purpose in an attempt to make the root CA visible externally, but it
didn't
> work. Is this just a naming logistics issue, or am I way off base here?
>
>
|
|
|
|
|