Solved

Generate a certificate from privately own certificate server

Posted on 2009-04-06
4
682 Views
Last Modified: 2012-05-06
Hi

My knowledge in certificates is very limited.

I was working on configuring Citrix secure gateway where there was requirement to install certificate on that gateway server which is running on Windows 2003, IIS 6, in the dmz.

So i installed Microsoft certificate service on other server in our LAN and then generated a certificate for my gateway server. Off course before that i had generate CSR (cert request) from IIS. And then i downloaded .p7b and .cer file and installed those certificates on my gateway server.

However now when i access my gateway server i get the first certifcate mesage on which i click continue to move further and then in while accessing my applications it give me error SSL error saying that my certificate not generated from trusted root. so my question is that is it neccessary to purchase a certificate from CA e.g verisign etc.. or should it work with my own generated certificate?

Thanks
0
Comment
Question by:tech2010
  • 3
4 Comments
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
Did you import the p7b (I'm assuming this reference is the complete root certificate chain) into both the citrix server and the accessing client?  If not - do that - might choose to follow along next paragraph anyways to take care of two things at once.

If so, might try importing again and this time manually assigning the store, browse to select the store and checkmark the box to 'show physical stores' then select trusted root certification authorities store, then finish the wizard.  need local admin rights to do so - this will make it avaiable to all users as well instead of current user.

You can do this from your own CA or using a standard commercial SSL cert (godaddy, comodo, verisign, etc.)
0
 

Author Comment

by:tech2010
Comment Utility
I don't want to install certificate on the client machine as my users always logon from different computers like sometimes from internet cafe, so i dont always tell them to install certificate on any machine when they logon. off course they dont know anything about certificate, so i just want to know that if i have only installed certificate on my server, should it not be enought for server and client?

Also please tell me if i install new certificate server. what option i should be selecting during installation like Enterprise root, Standalone etc.. which one is the best?

Thanks
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
Comment Utility
If the accessing client does not have your internal CA's root certifcate in its trusted root CA store then it will not validate your server certificate.

Either you need to instruct your users that they must import your internal CA root cert from the p7b file or you must shell out a little bit of cash for one that is commonly recognized.  I'm not sure how well updated the internet cafe's are where you live and how well the users update things, based on that I would recommend either GoDaddy (if you would expect at least XP SP2 or better) or Comodo (for less frequent updated systems as well as current) for an inexpensive SSL certificate.  That way you don't need to worry about getting the root trusted since it will already be from Microsoft.

If there is one or two cafe's you are concerned about more than the rest (e.g. the place across the street) then you could open up internet options - content - view certificates; alternatively run certmgr.msc.  Look at the root CA tab and you will see if godaddy is in there or not - Comodo uses UTN user first root for most of their certs.  I think that one of Comodo's roots had an issue with some Citrix installs, but they have another functional root they can issue from to accommodate you if that is still an issue for their primary root - I'm not sure if that related to their current preferred root or an older one...  Can just ask their tech support they are friendly and knowledgeable.
0
 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
Also please tell me if i install new certificate server. what option i should be selecting during installation like Enterprise root, Standalone etc.. which one is the best?

Sorry, I didn't answer this before... standalone is best for offline CA's (like your root) and also for issuing certs to third parties.  enterprise CA is good for AD integration, autoenrollment, and using certificate templates.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Debug Tools to analyse IIS process: This article focus on taking memory dumps from IIS to determine which code is taking more time and to analyse which calls hangs/causes more CPU usage. To take dumps,download the following. Install1: To st…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now