butlertg
asked on
Intranet Certificate
I have a certificate that I created w/ MS Certificate Server that I would like to use on an Intranet. How do I resolve the issue of the site warning the visitor that the certificate is from an untrusted source. I believe this must be done on the client's browser? Can this been done programmatically like thru ASP or something?
Thanx,
butlertg
Thanx,
butlertg
I don't think you can program that. For something to come from
a trusted host it must be signed from at trusted CA (There are very
few... Verisign)
CJ
a trusted host it must be signed from at trusted CA (There are very
few... Verisign)
CJ
The answer is that each browser will have to contact the server which issued the certificate and install the root certificate. I do not think you can do this programmatically.
At one time, I was fairly certain that there was an option in IE4 and/or 5 to "add the issuer to the trusted issuers list", but I have been unable to confirm that with M$ or any of my regular sources.
Tom
At one time, I was fairly certain that there was an option in IE4 and/or 5 to "add the issuer to the trusted issuers list", but I have been unable to confirm that with M$ or any of my regular sources.
Tom
ASKER
So is there no way to use a "home-made" certificate w/o getting those warnings? I mean without changing the option in every users browser.
butlertg
butlertg
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If you notice sometimes you will even get M$ certificate warnings.
Trust me if there was a way to do it programmatically ... they would
have done it.
CJ
Trust me if there was a way to do it programmatically ... they would
have done it.
CJ
[As cheekycj noted] you can prevent them by asking versign [www.versisign.com] or some other trusted CA to sign your key.
Verisign (or any other trusted CA) will probably not "sign" your key, but, rather, sell you their own certificate. This defeats the purpose of creating a M$ certificate in the first place.
Well, I think they could sign yours. But the price will be the same.
The reason for generating your own vs buing from say verisign is that in case you generate it, certificate's secret key _NEVER_ leaves your hands and NO ONE but you have it. This could make difference for paranoid. And if you are using SSL you should be one.
The reason for generating your own vs buing from say verisign is that in case you generate it, certificate's secret key _NEVER_ leaves your hands and NO ONE but you have it. This could make difference for paranoid. And if you are using SSL you should be one.
ASKER
Thanx to everybody for your help!!
Hopefully I these problems will be acceptable to users. Dang M$!
butlertg
Hopefully I these problems will be acceptable to users. Dang M$!
butlertg
http://www.microsoft.com/security/tech/Certificates/enroll.asp?RLD=287
There are security levels that can be set on IE that could have an effect on the certs.
Mark