|
Home > Archive > IIS Server Security > June 2004 > How to install website certificate as Trusted?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
How to install website certificate as Trusted?
|
|
| Tony Su 2004-06-14, 5:57 pm |
| Specifically I'm referring to SBS2K3, but should probably
be applicable to any other situation where a website is
secured with a Makecert or is issued by a CA not already
trusted.
When a User views the suspect certificate, clicks on "View
Certificate" and "Install Certificate," whether the
certificate is installed in default stores or any
specified store this has no effect... The next time the
User views the website, the User will still be prompted
because the website certificate still is not trusted.
The only way I've been able to resolve this are two ways...
- If the certificate is issued by my Domain CA, then I can
make the machine a member of my Domain.
- If the certificate is issued by a CA, I can export the
CA's public certificate and install it into the Client as
a trusted CA.
So far, I have not found an easy and direct way for the
client to install the certificate from the website.
Any thoughts?
TIA,
Tony Su
| |
| Ken Schaefer 2004-06-14, 5:57 pm |
| When you view the certificate details, you don't import the server
certificate.
You need to view the details of the CA's root certificate, and then import
that into the certificate store.
You can see the CA's cert in the Certificate Heirachy tab (in Internet
Explorer)
Cheers
Ken
"Tony Su" <anonymous@discussions.microsoft.com> wrote in message
news:1c35301c45226$e9313e90$a401280a@phx
.gbl...
: Specifically I'm referring to SBS2K3, but should probably
: be applicable to any other situation where a website is
: secured with a Makecert or is issued by a CA not already
: trusted.
:
: When a User views the suspect certificate, clicks on "View
: Certificate" and "Install Certificate," whether the
: certificate is installed in default stores or any
: specified store this has no effect... The next time the
: User views the website, the User will still be prompted
: because the website certificate still is not trusted.
:
: The only way I've been able to resolve this are two ways...
: - If the certificate is issued by my Domain CA, then I can
: make the machine a member of my Domain.
: - If the certificate is issued by a CA, I can export the
: CA's public certificate and install it into the Client as
: a trusted CA.
:
: So far, I have not found an easy and direct way for the
: client to install the certificate from the website.
:
: Any thoughts?
: TIA,
:
: Tony Su
| |
| Tony Su 2004-06-16, 6:01 pm |
| Thanks for replying Ken,
But that is exactly what I mean... what you describe
doesn't work on any website I've done that on.
Choosing to allow the installer to choose the store, I can
see the certificate appear in the "Intermediate
Certification Authorities," but I don't see why that
should be appropriate... because there is no Trusted
Publisher installed yet that would be able to
authenticated an Intermediate. And, therefor of course
authentication will still fail.
If I attempt to over-ride and place the website
certificate in the Trusted Publishers store, it doesn't
show up.
Thoughts?
Or, am I looking at this wrong?
TIA,
Tony Su
>-----Original Message-----
>When you view the certificate details, you don't import
the server
>certificate.
>You need to view the details of the CA's root
certificate, and then import
>that into the certificate store.
>
>You can see the CA's cert in the Certificate Heirachy tab
(in Internet
>Explorer)
>
>Cheers
>Ken
>
>"Tony Su" <anonymous@discussions.microsoft.com> wrote in
message
> news:1c35301c45226$e9313e90$a401280a@phx
.gbl...
>: Specifically I'm referring to SBS2K3, but should
probably
>: be applicable to any other situation where a website is
>: secured with a Makecert or is issued by a CA not already
>: trusted.
>:
>: When a User views the suspect certificate, clicks
on "View
>: Certificate" and "Install Certificate," whether the
>: certificate is installed in default stores or any
>: specified store this has no effect... The next time the
>: User views the website, the User will still be prompted
>: because the website certificate still is not trusted.
>:
>: The only way I've been able to resolve this are two
ways...
>: - If the certificate is issued by my Domain CA, then I
can
>: make the machine a member of my Domain.
>: - If the certificate is issued by a CA, I can export the
>: CA's public certificate and install it into the Client
as
>: a trusted CA.
>:
>: So far, I have not found an easy and direct way for the
>: client to install the certificate from the website.
>:
>: Any thoughts?
>: TIA,
>:
>: Tony Su
>
>
>.
>
| |
| Ken Schaefer 2004-06-17, 5:56 pm |
| Hi
: If I attempt to over-ride and place the website
: certificate in the Trusted Publishers store, it doesn't
: show up.
which certificate are you attempting to place where? You don't want to be
placing the website's server certificate into the store. You want to place
the Certificate Authority's (CAs) root certificate into the store...
Cheers
Ken
"Tony Su" <anonymous@discussions.microsoft.com> wrote in message
news:1d6a201c453e0$d33aead0$a101280a@phx
.gbl...
: Thanks for replying Ken,
: But that is exactly what I mean... what you describe
: doesn't work on any website I've done that on.
:
: Choosing to allow the installer to choose the store, I can
: see the certificate appear in the "Intermediate
: certification Authorities," but I don't see why that
: should be appropriate... because there is no Trusted
: Publisher installed yet that would be able to
: authenticated an Intermediate. And, therefor of course
: authentication will still fail.
:
: If I attempt to over-ride and place the website
: certificate in the Trusted Publishers store, it doesn't
: show up.
:
: Thoughts?
: Or, am I looking at this wrong?
:
: TIA,
:
: Tony Su
:
:
:
: >-----Original Message-----
: >When you view the certificate details, you don't import
: the server
: >certificate.
: >You need to view the details of the CA's root
: certificate, and then import
: >that into the certificate store.
: >
: >You can see the CA's cert in the Certificate Heirachy tab
: (in Internet
: >Explorer)
: >
: >Cheers
: >Ken
: >
: >"Tony Su" <anonymous@discussions.microsoft.com> wrote in
: message
: > news:1c35301c45226$e9313e90$a401280a@phx
.gbl...
: >: Specifically I'm referring to SBS2K3, but should
: probably
: >: be applicable to any other situation where a website is
: >: secured with a Makecert or is issued by a CA not already
: >: trusted.
: >:
: >: When a User views the suspect certificate, clicks
: on "View
: >: Certificate" and "Install Certificate," whether the
: >: certificate is installed in default stores or any
: >: specified store this has no effect... The next time the
: >: User views the website, the User will still be prompted
: >: because the website certificate still is not trusted.
: >:
: >: The only way I've been able to resolve this are two
: ways...
: >: - If the certificate is issued by my Domain CA, then I
: can
: >: make the machine a member of my Domain.
: >: - If the certificate is issued by a CA, I can export the
: >: CA's public certificate and install it into the Client
: as
: >: a trusted CA.
: >:
: >: So far, I have not found an easy and direct way for the
: >: client to install the certificate from the website.
: >:
: >: Any thoughts?
: >: TIA,
: >:
: >: Tony Su
: >
: >
: >.
: >
| |
| Tony Su 2004-06-20, 10:36 pm |
| Yes,
I agree and now I think you're beginning to follow me...
If a machine isn't pre-configured to trust the issueing CA
of a website, then is there any way to configure trusting
that particular website without going to the root CA to
configure trusting the root CA?
It seems to me illogical that there should be a button to
enable installing the website certificate if it isn't
sufficient, you have to trust the issueing CA <instead>.
Summary:
Webserver secured with cert from untrusted CA
- Installing the cert from the website on the client is
insufficient, no change
- Installing the public cert from the untrusted CA enables
the CA to be trusted and all certs that CA has issued.
- If the client machine is added to the Windows Domain of
a CA, then that CA will be considered trusted as well.
Thanks for your time,
Tony Su
>-----Original Message-----
>Hi
>
>: If I attempt to over-ride and place the website
>: certificate in the Trusted Publishers store, it doesn't
>: show up.
>
>which certificate are you attempting to place where? You
don't want to be
>placing the website's server certificate into the store.
You want to place
>the Certificate Authority's (CAs) root certificate into
the store...
>
>Cheers
>Ken
>
>
>"Tony Su" <anonymous@discussions.microsoft.com> wrote in
message
> news:1d6a201c453e0$d33aead0$a101280a@phx
.gbl...
>: Thanks for replying Ken,
>: But that is exactly what I mean... what you describe
>: doesn't work on any website I've done that on.
>:
>: Choosing to allow the installer to choose the store, I
can
>: see the certificate appear in the "Intermediate
>: certification Authorities," but I don't see why that
>: should be appropriate... because there is no Trusted
>: Publisher installed yet that would be able to
>: authenticated an Intermediate. And, therefor of course
>: authentication will still fail.
>:
>: If I attempt to over-ride and place the website
>: certificate in the Trusted Publishers store, it doesn't
>: show up.
>:
>: Thoughts?
>: Or, am I looking at this wrong?
>:
>: TIA,
>:
>: Tony Su
>:
>:
>:
>: >-----Original Message-----
>: >When you view the certificate details, you don't import
>: the server
>: >certificate.
>: >You need to view the details of the CA's root
>: certificate, and then import
>: >that into the certificate store.
>: >
>: >You can see the CA's cert in the Certificate Heirachy
tab
>: (in Internet
>: >Explorer)
>: >
>: >Cheers
>: >Ken
>: >
>: >"Tony Su" <anonymous@discussions.microsoft.com> wrote
in
>: message
>: > news:1c35301c45226$e9313e90$a401280a@phx
.gbl...
>: >: Specifically I'm referring to SBS2K3, but should
>: probably
>: >: be applicable to any other situation where a website
is
>: >: secured with a Makecert or is issued by a CA not
already
>: >: trusted.
>: >:
>: >: When a User views the suspect certificate, clicks
>: on "View
>: >: Certificate" and "Install Certificate," whether the
>: >: certificate is installed in default stores or any
>: >: specified store this has no effect... The next time
the
>: >: User views the website, the User will still be
prompted
>: >: because the website certificate still is not trusted.
>: >:
>: >: The only way I've been able to resolve this are two
>: ways...
>: >: - If the certificate is issued by my Domain CA, then
I
>: can
>: >: make the machine a member of my Domain.
>: >: - If the certificate is issued by a CA, I can export
the
>: >: CA's public certificate and install it into the
Client
>: as
>: >: a trusted CA.
>: >:
>: >: So far, I have not found an easy and direct way for
the
>: >: client to install the certificate from the website.
>: >:
>: >: Any thoughts?
>: >: TIA,
>: >:
>: >: Tony Su
>: >
>: >
>: >.
>: >
>
>
>.
>
| |
| Ken Schaefer 2004-06-26, 10:16 am |
| Hi,
You need to read up on Certificate trust heirachy. The certificate the
webserver has is signed with the key of the CA. The CA's certificate
verifies that the key used to sign the webserver's certificate is indeed the
correct key. Unless you have that root certificate (or a designated
Intermediate Certificate) in your trusted cert store, then the "Server"
certificate can not be completely validated.
With MS Certificate Services integrated into an AD environment, certs issued
by Cert Services are automaticaly trusted by domain clients. But this
requires the CA to be AD integrated -and- the clients to be AD integrated.
Cheers
Ken
"Tony Su" <anonymous@discussions.microsoft.com> wrote in message
news:1ebf901c4570a$b4932c50$a301280a@phx
.gbl...
: Yes,
: I agree and now I think you're beginning to follow me...
:
: If a machine isn't pre-configured to trust the issueing CA
: of a website, then is there any way to configure trusting
: that particular website without going to the root CA to
: configure trusting the root CA?
:
: It seems to me illogical that there should be a button to
: enable installing the website certificate if it isn't
: sufficient, you have to trust the issueing CA <instead>.
:
: Summary:
: Webserver secured with cert from untrusted CA
: - Installing the cert from the website on the client is
: insufficient, no change
: - Installing the public cert from the untrusted CA enables
: the CA to be trusted and all certs that CA has issued.
: - If the client machine is added to the Windows Domain of
: a CA, then that CA will be considered trusted as well.
:
: Thanks for your time,
: Tony Su
:
:
:
:
: >-----Original Message-----
: >Hi
: >
: >: If I attempt to over-ride and place the website
: >: certificate in the Trusted Publishers store, it doesn't
: >: show up.
: >
: >which certificate are you attempting to place where? You
: don't want to be
: >placing the website's server certificate into the store.
: You want to place
: >the Certificate Authority's (CAs) root certificate into
: the store...
: >
: >Cheers
: >Ken
: >
: >
: >"Tony Su" <anonymous@discussions.microsoft.com> wrote in
: message
: > news:1d6a201c453e0$d33aead0$a101280a@phx
.gbl...
: >: Thanks for replying Ken,
: >: But that is exactly what I mean... what you describe
: >: doesn't work on any website I've done that on.
: >:
: >: Choosing to allow the installer to choose the store, I
: can
: >: see the certificate appear in the "Intermediate
: >: certification Authorities," but I don't see why that
: >: should be appropriate... because there is no Trusted
: >: Publisher installed yet that would be able to
: >: authenticated an Intermediate. And, therefor of course
: >: authentication will still fail.
: >:
: >: If I attempt to over-ride and place the website
: >: certificate in the Trusted Publishers store, it doesn't
: >: show up.
: >:
: >: Thoughts?
: >: Or, am I looking at this wrong?
: >:
: >: TIA,
: >:
: >: Tony Su
: >:
: >:
: >:
: >: >-----Original Message-----
: >: >When you view the certificate details, you don't import
: >: the server
: >: >certificate.
: >: >You need to view the details of the CA's root
: >: certificate, and then import
: >: >that into the certificate store.
: >: >
: >: >You can see the CA's cert in the Certificate Heirachy
: tab
: >: (in Internet
: >: >Explorer)
: >: >
: >: >Cheers
: >: >Ken
: >: >
: >: >"Tony Su" <anonymous@discussions.microsoft.com> wrote
: in
: >: message
: >: > news:1c35301c45226$e9313e90$a401280a@phx
.gbl...
: >: >: Specifically I'm referring to SBS2K3, but should
: >: probably
: >: >: be applicable to any other situation where a website
: is
: >: >: secured with a Makecert or is issued by a CA not
: already
: >: >: trusted.
: >: >:
: >: >: When a User views the suspect certificate, clicks
: >: on "View
: >: >: Certificate" and "Install Certificate," whether the
: >: >: certificate is installed in default stores or any
: >: >: specified store this has no effect... The next time
: the
: >: >: User views the website, the User will still be
: prompted
: >: >: because the website certificate still is not trusted.
: >: >:
: >: >: The only way I've been able to resolve this are two
: >: ways...
: >: >: - If the certificate is issued by my Domain CA, then
: I
: >: can
: >: >: make the machine a member of my Domain.
: >: >: - If the certificate is issued by a CA, I can export
: the
: >: >: CA's public certificate and install it into the
: Client
: >: as
: >: >: a trusted CA.
: >: >:
: >: >: So far, I have not found an easy and direct way for
: the
: >: >: client to install the certificate from the website.
: >: >:
: >: >: Any thoughts?
: >: >: TIA,
: >: >:
: >: >: Tony Su
: >: >
: >: >
: >: >.
: >: >
: >
: >
: >.
: >
|
|
|
|
|