I am really confused. I have read a whole PKI book and still feel dumb. I know I cannot get a root CA subordinate cert from my Enterprise CA, but I am wondering what I can do to ensure certs that are seen outside my network are seen as valid and not untrusted. I thought it would make sense that my Enterprise (single tier) CA would get it's SSL cert from some fancy Internet CA like Verisign or Godaddy, and therefore all certs I generated for my clients or servers would be attached to that chain and validated as cool. Doesn't even seem like that is remotely possible. I looks like the only way to set it up for yourself so that you can issue certs, is to make your server the root... whereby every cert it issues is untrusted by people who have not imported my Enterprise Root Certificate... which I guess is self-signed? No need to get a public SSL cert for that?
My biggest concerns are:
1. One of our VPs that is trying to access his Outlook Web Access account from an IE 6 browser in Nowheresvill, IN is going to have the browser pop up and tell him the certificate is untrusted.
2. That when my AD users use their certs to sign Smime signed or encrypted messages, that the client on the other side of the country, on someone else's domain, is going to get a message that the cert is untrusted.
What do I do to avoid these problems other than continue to pay $29 bucks for every server or client workstation that needs a cert (and also needs that cert to be valid outside my network without an intermediate or root CA download to all our customer's machines). I know that for smime you can send a digitally signed message, and have the remote user create a contact and save the public key- but if the key we send throws and error message, that won't work either.
Thank you so much in advance for your ideas and help.
Start Free Trial
