You have to distribute the CA's Root certificate. Unfortunately, there
really isn't an easy way. As for IE, follow the steps below:
1. Open your local Internet Explorer.
2. Select Tools then Internet Options.
3. In the Internet Options window, click on the Content tab, then click
on the Certificates button.
4. Select the Trusted Root Certificate Authorities tab, and then click
on the Import button.
5. This will start a wizard. Click Next.
6. When prompted, browse to the location of CER file. Click Next to
continue.
7. When prompted for the Certificate Store location, click on the
Browse button.
8. Check mark Show physical stores, expand Trusted Root Authentication
Authorities, and select Local Computer. Click Ok.
9. Make sure that Trusted Root Certification Authorities\Local Computer
is in the Certificate store field. Click Next to continue.
10. Click Finish to complete the import process.
That will get the certificate trusted.
Or, you could just right-click on the CER file, select Install, and then
just select the defaults.
Chris
- -----Original Message-----
From: Benjamin Meade [mailto:ben (at) lanwest.com (dot) au [email concealed]]
Sent: Tuesday, July 15, 2003 6:25 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: CA-SSL in IIS
OK, I got the certificate installed, but for some reason, most browsers will
not install the certificate. Opera won't even try, and IE says it installs,
and yet asks if you want to trust this server the next time I go there.
Mozilla works fine. I have a feeling that it is because the the CA's root
certificate is not available from the web. Am I on the right track? If so,
how do I fix it? Can I simply register the CA on the webserver, so when the
client goes to install the certificate, it grabs the CA's as well, or do I
have to get them to download it seperately?
Thanks,
Benjamin Meade
System Administrator
LanWest Pty Ltd
- -----Original Message-----
From: CORREIA, PATRICK [mailto:pcorreia (at) cha-llp (dot) com [email concealed]]
Sent: Wednesday, 16 July 2003 12:10 AM
To: 'Ed Sunder'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: CA-SSL in IIS
There is a concept involved here of a "chain of trust". When Verisign
signs your SSL certificate, they are giving their promise that they
trust that you are who you say you are. When Joe User comes to your
site, he has to decide if he trusts Verisign to make that decision. The
chain can actually be much longer through the use of intermediate
certification authorities. A user can "install" a certificate as a
trusted root, meaning they trust the holder of that certificate to sign
other certificates. This is the benefit of paying a third-party CA --
their root certificate is already trusted by a default install of most
browsers, including Internet Explorer.
In terms of the public web, if you sign certificates with your own CA,
the certification chain will end with the certificate of your CA, which
will not be trusted by most clients. So when they visit your web site,
they will see an error message that the site is trying to establish an
SSL connection but the identity of the server could not be positively
established. This will probably scare people, even though the
encryption will still work to the fullest extent. In a controlled
environment, you could install the certificate of the CA as trusted on
all the client machines and you would have no problems at all.
- --
Patrick Correia, Web Designer
Clough, Harbour & Associates LLP
III Winners Circle
P.O. Box 5269
Albany, New York 12205-0269
http://www.cha-llp.com
- -----Original Message-----
From: Ed Sunder [mailto:edsunder (at) threehd (dot) com [email concealed]]
Sent: Tuesday, July 15, 2003 10:50 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: CA-SSL in IIS
What drawbacks are there in becoming your own certificate service?
Versus one of the major SSL services? Other than that the source of the
certificate (if the user looked it up) would not be a commercially known
provider and you couldn't participate in any of the major provider's
ever so valuable certificate programs.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
You have to distribute the CA's Root certificate. Unfortunately, there
really isn't an easy way. As for IE, follow the steps below:
1. Open your local Internet Explorer.
2. Select Tools then Internet Options.
3. In the Internet Options window, click on the Content tab, then click
on the Certificates button.
4. Select the Trusted Root Certificate Authorities tab, and then click
on the Import button.
5. This will start a wizard. Click Next.
6. When prompted, browse to the location of CER file. Click Next to
continue.
7. When prompted for the Certificate Store location, click on the
Browse button.
8. Check mark Show physical stores, expand Trusted Root Authentication
Authorities, and select Local Computer. Click Ok.
9. Make sure that Trusted Root Certification Authorities\Local Computer
is in the Certificate store field. Click Next to continue.
10. Click Finish to complete the import process.
That will get the certificate trusted.
Or, you could just right-click on the CER file, select Install, and then
just select the defaults.
Chris
- -----Original Message-----
From: Benjamin Meade [mailto:ben (at) lanwest.com (dot) au [email concealed]]
Sent: Tuesday, July 15, 2003 6:25 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: CA-SSL in IIS
OK, I got the certificate installed, but for some reason, most browsers will
not install the certificate. Opera won't even try, and IE says it installs,
and yet asks if you want to trust this server the next time I go there.
Mozilla works fine. I have a feeling that it is because the the CA's root
certificate is not available from the web. Am I on the right track? If so,
how do I fix it? Can I simply register the CA on the webserver, so when the
client goes to install the certificate, it grabs the CA's as well, or do I
have to get them to download it seperately?
Thanks,
Benjamin Meade
System Administrator
LanWest Pty Ltd
- -----Original Message-----
From: CORREIA, PATRICK [mailto:pcorreia (at) cha-llp (dot) com [email concealed]]
Sent: Wednesday, 16 July 2003 12:10 AM
To: 'Ed Sunder'; focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: CA-SSL in IIS
There is a concept involved here of a "chain of trust". When Verisign
signs your SSL certificate, they are giving their promise that they
trust that you are who you say you are. When Joe User comes to your
site, he has to decide if he trusts Verisign to make that decision. The
chain can actually be much longer through the use of intermediate
certification authorities. A user can "install" a certificate as a
trusted root, meaning they trust the holder of that certificate to sign
other certificates. This is the benefit of paying a third-party CA --
their root certificate is already trusted by a default install of most
browsers, including Internet Explorer.
In terms of the public web, if you sign certificates with your own CA,
the certification chain will end with the certificate of your CA, which
will not be trusted by most clients. So when they visit your web site,
they will see an error message that the site is trying to establish an
SSL connection but the identity of the server could not be positively
established. This will probably scare people, even though the
encryption will still work to the fullest extent. In a controlled
environment, you could install the certificate of the CA as trusted on
all the client machines and you would have no problems at all.
- --
Patrick Correia, Web Designer
Clough, Harbour & Associates LLP
III Winners Circle
P.O. Box 5269
Albany, New York 12205-0269
http://www.cha-llp.com
- -----Original Message-----
From: Ed Sunder [mailto:edsunder (at) threehd (dot) com [email concealed]]
Sent: Tuesday, July 15, 2003 10:50 AM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: RE: CA-SSL in IIS
What drawbacks are there in becoming your own certificate service?
Versus one of the major SSL services? Other than that the source of the
certificate (if the user looked it up) would not be a commercially known
provider and you couldn't participate in any of the major provider's
ever so valuable certificate programs.
Ed Sunder
Three HD
- ------------------------------------------------------------------------
- -----
- ------------------------------------------------------------------------
- ------
-
------------------------------------------------------------------------
----
-
-
------------------------------------------------------------------------
----
--
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0
Comment: Public PGP key for Chris Lynch
iQA/AwUBPxV6V29fg+xq5T3MEQKB5ACff4A98kD3aGHsgHel2bs5o3e/xpcAoO0G
XSV88aHY0g39uh6APz3vBMMs
=OMYV
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
-----
------------------------------------------------------------------------
------
[ reply ]