Solved

IE7's problem with self signed certs

Posted on 2008-10-29
11
856 Views
Last Modified: 2013-12-08
Accessing OWA via SSL on a SBS03 server w/SP2 and all current updates IE7 displays the "...problem with this site's certificate..." message.  The PC is XP Pro /SP3.  On the PC installing the cert into the Trusted Root Certificate Authority location makes no difference.  Of course it work flawlessly with IE6.  Anyone know what the fix for IE7 is assuming there is one.
0
Comment
Question by:johncfds
  • 4
  • 3
  • 2
11 Comments
 
LVL 7

Expert Comment

by:Onlyodin
Comment Utility
The only fix I am aware of for this issue is to use a certificate signed by a certificate authority (even if it is via Certificate Services in Windows 2003).

Once you have the Root CA certificate installed to the trusted root certificates, you will be able to open OWA without getting the certificate warning.

If you do not want to buy a commercial certificate, or run your own CA, there are providers out there offering free certificates, in which case you could get a certificate from them and import their Root CA certificate as a Trusted Root Certificate.

Try www.CACert.org as an example.
0
 

Author Comment

by:johncfds
Comment Utility
Had a look at CACert.org.  I am considering it.  Does anyone know if IE8 beta behaves differently?
0
 

Expert Comment

by:curwengroup
Comment Utility
your problem comes from the fact that IE 7 is looking to verify the self signed certificate against a root certificate which is not installed on the machine.
To solve this install both the self signed certificate and the root certificate on the workstations.

when you installed your certification authority (i'm going to assume windows based) it generates it's own root certificate. It's the same as going through a free certification authority but you have already done the work to get those certs setup.
0
 

Author Comment

by:johncfds
Comment Utility
From within IE7 I have clicked "Certificate Error" "View Certificate" "Install Certificate" and installed it to Trusted Root Certificate Authorities with no change. Which of the two cert installs you say must be done is this and how / where do I do the second?
Thank You,
John.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Expert Comment

by:curwengroup
Comment Utility
here is a guide to importing Root CA certificates into e-mail clients.
While this is not exactly the guide you need it will give you the proper steps for exporting the Root Cert.

http://www.isaserver.org/img/upl/exchangekit/importrootca/importrootca.htm

The certificate you installed if the Web site certificate, If you go into that certificate and check it's certification path you will see that it has another certificate on top of it, that is your Root cert, and the one the guide i linked you will help you get.
0
 
LVL 7

Expert Comment

by:Onlyodin
Comment Utility
Assuming you are using a self-signed certificate, the instructions curwengroup has linked to will never work because IE7 needs a root CA certificate in order to verify the authenticity of the server/website certificate.

I believe this was intended design in IE7 so I doubt that IE8 will go back to the way IE6 behaves.  
0
 

Expert Comment

by:curwengroup
Comment Utility
The linked instructions were not a step by steps of what needs to be done to accomplish this. it only points him in the direction he needs to look to be able to retrieve his self signed root CA certificate, and install it on client machine, to get them to accept the web certificate.
0
 
LVL 7

Accepted Solution

by:
Onlyodin earned 125 total points
Comment Utility
Yes, but if it is a Self-Signed certificate there will be no Root CA Certificate.  Your instructions are good however only applicable if johncfds was running an internal Certificate Authority.  

In my experience IE7 will not acknowledge a Self-Signed certificate even if it is installed as Trusted Root Certificate.

http://webdesign.about.com/od/ssl/a/signed_v_selfsi.htm
0
 

Assisted Solution

by:curwengroup
curwengroup earned 125 total points
Comment Utility
In my experience you need some sort of a certification authority to issue the certificate. I have always done it by installing the Windows Certificate Authority on a server and issuing a web certificate, judging by  johncfds description that is what he did.

in my experience IE7 will always recognize the certs if the machine is part of the domain that the CA is issuing Certs for, it will also always recognize the certs if they are installed in the proper order, ie Root Cert first, web site Cert second. Otherwise it's a draw between update level for OS and update status for IE.
0

Featured Post

Want to promote your upcoming event?

Attending an event? Speaking at a conference? Or exhibiting at a tradeshow? Easily inform your contacts by using a promotional banner in your email signature. This will ensure your organization’s most important contacts are in the know.

Join & Write a Comment

Suggested Solutions

I had to do a bit of research to find the answer to this question so I thought I'd share my results.  Due to our outdated mainframe systems, we need to downgrade IE9 to IE8 in order to stay compatible.  We also needed to downgrade Java.  In order to…
I recently found myself in a Corporate Situation where the client had requested blocking access to any and all websites except his own Domain? Easy? I am sure this would be your answer but their requirement was, this has to be done without using…
Shows how to create a shortcut to site-search Experts Exchange using Google in the Chrome browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch the Search Engine Menu: In chrome, via you…
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now