You need to install the root CA certificate (generate this from the CA
service) into the trusted root-authority certificate store. It sounds to me
like you've installed the wrong certificate - without trusting the root CA,
your browswer will pop up a message each time you try to view pages over the
SSL connection.
Regards
Lee
--
Lee Evans
Vital Online Ltd
> -----Original Message-----
> From: Benjamin Meade [mailto:ben (at) lanwest.com (dot) au [email concealed]]
> Sent: 16 July 2003 02:25
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: CA-SSL in IIS
>
>
>
> OK, I got the certificate installed, but for some reason,
> most browsers will not install the certificate. Opera won't
> even try, and IE says it installs, and yet asks if you want
> to trust this server the next time I go there. Mozilla works
> fine. I have a feeling that it is because the the CA's root
> certificate is not available from the web. Am I on the right
> track? If so, how do I fix it? Can I simply register the CA
> on the webserver, so when the client goes to install the
> certificate, it grabs the CA's as well, or do I have to get
> them to download it seperately?
>
> Thanks,
>
> Benjamin Meade
> System Administrator
> LanWest Pty Ltd
>
>
> -----Original Message-----
> From: CORREIA, PATRICK [mailto:pcorreia (at) cha-llp (dot) com [email concealed]]
> Sent: Wednesday, 16 July 2003 12:10 AM
> To: 'Ed Sunder'; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: CA-SSL in IIS
>
>
> There is a concept involved here of a "chain of trust". When
> Verisign signs your SSL certificate, they are giving their
> promise that they trust that you are who you say you are.
> When Joe User comes to your site, he has to decide if he
> trusts Verisign to make that decision. The chain can
> actually be much longer through the use of intermediate
> certification authorities. A user can "install" a
> certificate as a trusted root, meaning they trust the holder
> of that certificate to sign other certificates. This is the
> benefit of paying a third-party CA -- their root certificate
> is already trusted by a default install of most browsers,
> including Internet Explorer.
>
> In terms of the public web, if you sign certificates with
> your own CA, the certification chain will end with the
> certificate of your CA, which will not be trusted by most
> clients. So when they visit your web site, they will see an
> error message that the site is trying to establish an SSL
> connection but the identity of the server could not be
> positively established. This will probably scare people,
> even though the encryption will still work to the fullest
> extent. In a controlled environment, you could install the
> certificate of the CA as trusted on all the client machines
> and you would have no problems at all.
>
> --
> Patrick Correia, Web Designer
> Clough, Harbour & Associates LLP
> III Winners Circle
> P.O. Box 5269
> Albany, New York 12205-0269
> http://www.cha-llp.com
>
>
> -----Original Message-----
> From: Ed Sunder [mailto:edsunder (at) threehd (dot) com [email concealed]]
> Sent: Tuesday, July 15, 2003 10:50 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: CA-SSL in IIS
>
> What drawbacks are there in becoming your own certificate
> service? Versus one of the major SSL services? Other than
> that the source of the certificate (if the user looked it up)
> would not be a commercially known provider and you couldn't
> participate in any of the major provider's ever so valuable
> certificate programs.
>
> Ed Sunder
> Three HD
>
>
>
>
>
> --------------------------------------------------------------
> ----------
> -----
> --------------------------------------------------------------
> ----------
> ------
>
>
> --------------------------------------------------------------
> ---------------
> --------------------------------------------------------------
> ----------------
>
>
service) into the trusted root-authority certificate store. It sounds to me
like you've installed the wrong certificate - without trusting the root CA,
your browswer will pop up a message each time you try to view pages over the
SSL connection.
Regards
Lee
--
Lee Evans
Vital Online Ltd
> -----Original Message-----
> From: Benjamin Meade [mailto:ben (at) lanwest.com (dot) au [email concealed]]
> Sent: 16 July 2003 02:25
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: CA-SSL in IIS
>
>
>
> OK, I got the certificate installed, but for some reason,
> most browsers will not install the certificate. Opera won't
> even try, and IE says it installs, and yet asks if you want
> to trust this server the next time I go there. Mozilla works
> fine. I have a feeling that it is because the the CA's root
> certificate is not available from the web. Am I on the right
> track? If so, how do I fix it? Can I simply register the CA
> on the webserver, so when the client goes to install the
> certificate, it grabs the CA's as well, or do I have to get
> them to download it seperately?
>
> Thanks,
>
> Benjamin Meade
> System Administrator
> LanWest Pty Ltd
>
>
> -----Original Message-----
> From: CORREIA, PATRICK [mailto:pcorreia (at) cha-llp (dot) com [email concealed]]
> Sent: Wednesday, 16 July 2003 12:10 AM
> To: 'Ed Sunder'; focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: CA-SSL in IIS
>
>
> There is a concept involved here of a "chain of trust". When
> Verisign signs your SSL certificate, they are giving their
> promise that they trust that you are who you say you are.
> When Joe User comes to your site, he has to decide if he
> trusts Verisign to make that decision. The chain can
> actually be much longer through the use of intermediate
> certification authorities. A user can "install" a
> certificate as a trusted root, meaning they trust the holder
> of that certificate to sign other certificates. This is the
> benefit of paying a third-party CA -- their root certificate
> is already trusted by a default install of most browsers,
> including Internet Explorer.
>
> In terms of the public web, if you sign certificates with
> your own CA, the certification chain will end with the
> certificate of your CA, which will not be trusted by most
> clients. So when they visit your web site, they will see an
> error message that the site is trying to establish an SSL
> connection but the identity of the server could not be
> positively established. This will probably scare people,
> even though the encryption will still work to the fullest
> extent. In a controlled environment, you could install the
> certificate of the CA as trusted on all the client machines
> and you would have no problems at all.
>
> --
> Patrick Correia, Web Designer
> Clough, Harbour & Associates LLP
> III Winners Circle
> P.O. Box 5269
> Albany, New York 12205-0269
> http://www.cha-llp.com
>
>
> -----Original Message-----
> From: Ed Sunder [mailto:edsunder (at) threehd (dot) com [email concealed]]
> Sent: Tuesday, July 15, 2003 10:50 AM
> To: focus-ms (at) securityfocus (dot) com [email concealed]
> Subject: RE: CA-SSL in IIS
>
> What drawbacks are there in becoming your own certificate
> service? Versus one of the major SSL services? Other than
> that the source of the certificate (if the user looked it up)
> would not be a commercially known provider and you couldn't
> participate in any of the major provider's ever so valuable
> certificate programs.
>
> Ed Sunder
> Three HD
>
>
>
>
>
> --------------------------------------------------------------
> ----------
> -----
> --------------------------------------------------------------
> ----------
> ------
>
>
> --------------------------------------------------------------
> ---------------
> --------------------------------------------------------------
> ----------------
>
>
------------------------------------------------------------------------
-----
------------------------------------------------------------------------
------
[ reply ]