Solved

Generate a certificate from privately own certificate server

Posted on 2009-04-06
4
692 Views
Last Modified: 2012-05-06
Hi

My knowledge in certificates is very limited.

I was working on configuring Citrix secure gateway where there was requirement to install certificate on that gateway server which is running on Windows 2003, IIS 6, in the dmz.

So i installed Microsoft certificate service on other server in our LAN and then generated a certificate for my gateway server. Off course before that i had generate CSR (cert request) from IIS. And then i downloaded .p7b and .cer file and installed those certificates on my gateway server.

However now when i access my gateway server i get the first certifcate mesage on which i click continue to move further and then in while accessing my applications it give me error SSL error saying that my certificate not generated from trusted root. so my question is that is it neccessary to purchase a certificate from CA e.g verisign etc.. or should it work with my own generated certificate?

Thanks
0
Comment
Question by:tech2010
  • 3
4 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24081642
Did you import the p7b (I'm assuming this reference is the complete root certificate chain) into both the citrix server and the accessing client?  If not - do that - might choose to follow along next paragraph anyways to take care of two things at once.

If so, might try importing again and this time manually assigning the store, browse to select the store and checkmark the box to 'show physical stores' then select trusted root certification authorities store, then finish the wizard.  need local admin rights to do so - this will make it avaiable to all users as well instead of current user.

You can do this from your own CA or using a standard commercial SSL cert (godaddy, comodo, verisign, etc.)
0
 

Author Comment

by:tech2010
ID: 24082253
I don't want to install certificate on the client machine as my users always logon from different computers like sometimes from internet cafe, so i dont always tell them to install certificate on any machine when they logon. off course they dont know anything about certificate, so i just want to know that if i have only installed certificate on my server, should it not be enought for server and client?

Also please tell me if i install new certificate server. what option i should be selecting during installation like Enterprise root, Standalone etc.. which one is the best?

Thanks
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24088713
If the accessing client does not have your internal CA's root certifcate in its trusted root CA store then it will not validate your server certificate.

Either you need to instruct your users that they must import your internal CA root cert from the p7b file or you must shell out a little bit of cash for one that is commonly recognized.  I'm not sure how well updated the internet cafe's are where you live and how well the users update things, based on that I would recommend either GoDaddy (if you would expect at least XP SP2 or better) or Comodo (for less frequent updated systems as well as current) for an inexpensive SSL certificate.  That way you don't need to worry about getting the root trusted since it will already be from Microsoft.

If there is one or two cafe's you are concerned about more than the rest (e.g. the place across the street) then you could open up internet options - content - view certificates; alternatively run certmgr.msc.  Look at the root CA tab and you will see if godaddy is in there or not - Comodo uses UTN user first root for most of their certs.  I think that one of Comodo's roots had an issue with some Citrix installs, but they have another functional root they can issue from to accommodate you if that is still an issue for their primary root - I'm not sure if that related to their current preferred root or an older one...  Can just ask their tech support they are friendly and knowledgeable.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24116988
Also please tell me if i install new certificate server. what option i should be selecting during installation like Enterprise root, Standalone etc.. which one is the best?

Sorry, I didn't answer this before... standalone is best for offline CA's (like your root) and also for issuing certs to third parties.  enterprise CA is good for AD integration, autoenrollment, and using certificate templates.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
shadow copies 7 77
AD Replications issues 12 106
IIS 8 works fine locally but not over the network 2 17
performance tune IIS 10 on win 2016 that only runs one website 4 62
Lync server 2013 or Skype for business Backup Service Error ID 4049 – After File Share Migration
As tax season makes its return, so does the increase in cyber crime and tax refund phishing that comes with it
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question