Solved

Generate a certificate from privately own certificate server

Posted on 2009-04-06
4
686 Views
Last Modified: 2012-05-06
Hi

My knowledge in certificates is very limited.

I was working on configuring Citrix secure gateway where there was requirement to install certificate on that gateway server which is running on Windows 2003, IIS 6, in the dmz.

So i installed Microsoft certificate service on other server in our LAN and then generated a certificate for my gateway server. Off course before that i had generate CSR (cert request) from IIS. And then i downloaded .p7b and .cer file and installed those certificates on my gateway server.

However now when i access my gateway server i get the first certifcate mesage on which i click continue to move further and then in while accessing my applications it give me error SSL error saying that my certificate not generated from trusted root. so my question is that is it neccessary to purchase a certificate from CA e.g verisign etc.. or should it work with my own generated certificate?

Thanks
0
Comment
Question by:tech2010
  • 3
4 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24081642
Did you import the p7b (I'm assuming this reference is the complete root certificate chain) into both the citrix server and the accessing client?  If not - do that - might choose to follow along next paragraph anyways to take care of two things at once.

If so, might try importing again and this time manually assigning the store, browse to select the store and checkmark the box to 'show physical stores' then select trusted root certification authorities store, then finish the wizard.  need local admin rights to do so - this will make it avaiable to all users as well instead of current user.

You can do this from your own CA or using a standard commercial SSL cert (godaddy, comodo, verisign, etc.)
0
 

Author Comment

by:tech2010
ID: 24082253
I don't want to install certificate on the client machine as my users always logon from different computers like sometimes from internet cafe, so i dont always tell them to install certificate on any machine when they logon. off course they dont know anything about certificate, so i just want to know that if i have only installed certificate on my server, should it not be enought for server and client?

Also please tell me if i install new certificate server. what option i should be selecting during installation like Enterprise root, Standalone etc.. which one is the best?

Thanks
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24088713
If the accessing client does not have your internal CA's root certifcate in its trusted root CA store then it will not validate your server certificate.

Either you need to instruct your users that they must import your internal CA root cert from the p7b file or you must shell out a little bit of cash for one that is commonly recognized.  I'm not sure how well updated the internet cafe's are where you live and how well the users update things, based on that I would recommend either GoDaddy (if you would expect at least XP SP2 or better) or Comodo (for less frequent updated systems as well as current) for an inexpensive SSL certificate.  That way you don't need to worry about getting the root trusted since it will already be from Microsoft.

If there is one or two cafe's you are concerned about more than the rest (e.g. the place across the street) then you could open up internet options - content - view certificates; alternatively run certmgr.msc.  Look at the root CA tab and you will see if godaddy is in there or not - Comodo uses UTN user first root for most of their certs.  I think that one of Comodo's roots had an issue with some Citrix installs, but they have another functional root they can issue from to accommodate you if that is still an issue for their primary root - I'm not sure if that related to their current preferred root or an older one...  Can just ask their tech support they are friendly and knowledgeable.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24116988
Also please tell me if i install new certificate server. what option i should be selecting during installation like Enterprise root, Standalone etc.. which one is the best?

Sorry, I didn't answer this before... standalone is best for offline CA's (like your root) and also for issuing certs to third parties.  enterprise CA is good for AD integration, autoenrollment, and using certificate templates.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now