Hi,

In IE, when I double click yellow pad-lock and click the install certificate
button,
although it said successfully processed the certificate, but I still get a
red cross
with my certificate icon ...

Then I found this KB ...
http://support.microsoft.com/?id=297681

and it successfully made my client's IE to trust my Microsoft CA ...

But are there anyway to automate this process so my client
don't really need to access the
https://www.mydomain.com/rootinstall.asp
to make the IE to trust my MS CA ?

TIA

Steven

[ Post a follow-up to this message ]

Hi,

Are these computers members of your domain? If yes you can use group policy
to determine which certificates clients will trust.

--
Mike
Microsoft MVP - Windows Security

"Steven Wong" <sazabi75@hotmail.com> wrote in message
news:%23bj7Nx$lFHA.708@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> In IE, when I double click yellow pad-lock and click the install
> certificate
> button,
> although it said successfully processed the certificate, but I still get a
> red cross
> with my certificate icon ...
>
> Then I found this KB ...
> http://support.microsoft.com/?id=297681
>
> and it successfully made my client's IE to trust my Microsoft CA ...
>
> But are there anyway to automate this process so my client
> don't really need to access the
> https://www.mydomain.com/rootinstall.asp
> to make the IE to trust my MS CA ?
>
> TIA
>
> Steven
>
>

[ Post a follow-up to this message ]

Hi,

Thanks for your reply..
No, there will be internet users connecting to this secure web site.
So, that means there must be some kind of user intervention to manually
make the IE to trust my own Microsoft CA ?

TIA

Steven
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:uWVGjaQmFHA.2080@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> Are these computers members of your domain? If yes you can use group
policy
> to determine which certificates clients will trust.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Steven Wong" <sazabi75@hotmail.com> wrote in message
> news:%23bj7Nx$lFHA.708@TK2MSFTNGP09.phx.gbl... 
a[vbcol=seagreen] 
>
>

[ Post a follow-up to this message ]

Correct. It must be manual, or else it is a security vulnerability in the
browser. Servers cannot automatically change a trusted resource of the
client unless you established trust to that server (that's basically what
Domain membership and Group Policy is -- the server trusts the external
Domain Controller).

If the users are not controlled, your only options are to:
1. Make the users install your random certificate into their trusted root
(BIG RED FLAG -- no one should do this, but dumb users probably will)
2. Purchase a certificate from an established Certificate Registrar. They
already got their Root CA Certificate into the user's trusted root store.

Read the following blog entry for details as to why things are the way they
are:
http://blogs.msdn.com/david.wang/ar...SSL_on_IIS.aspx

--
//David
IIS
http://blogs.msdn.com/David.Wang
This posting is provided "AS IS" with no warranties, and confers no rights.
//
"Steven Wong" <sazabi75@hotmail.com> wrote in message
news:eNaJfzUmFHA.1412@TK2MSFTNGP09.phx.gbl...
Hi,

Thanks for your reply..
No, there will be internet users connecting to this secure web site.
So, that means there must be some kind of user intervention to manually
make the IE to trust my own Microsoft CA ?

TIA

Steven
"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:uWVGjaQmFHA.2080@TK2MSFTNGP14.phx.gbl...
> Hi,
>
> Are these computers members of your domain? If yes you can use group
policy
> to determine which certificates clients will trust.
>
> --
> Mike
> Microsoft MVP - Windows Security
>
> "Steven Wong" <sazabi75@hotmail.com> wrote in message
> news:%23bj7Nx$lFHA.708@TK2MSFTNGP09.phx.gbl... 
a[vbcol=seagreen] 
>
>

[ Post a follow-up to this message ]