• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 711
  • Last Modified:

Generate a certificate from privately own certificate server

Hi

My knowledge in certificates is very limited.

I was working on configuring Citrix secure gateway where there was requirement to install certificate on that gateway server which is running on Windows 2003, IIS 6, in the dmz.

So i installed Microsoft certificate service on other server in our LAN and then generated a certificate for my gateway server. Off course before that i had generate CSR (cert request) from IIS. And then i downloaded .p7b and .cer file and installed those certificates on my gateway server.

However now when i access my gateway server i get the first certifcate mesage on which i click continue to move further and then in while accessing my applications it give me error SSL error saying that my certificate not generated from trusted root. so my question is that is it neccessary to purchase a certificate from CA e.g verisign etc.. or should it work with my own generated certificate?

Thanks
0
tech2010
Asked:
tech2010
  • 3
1 Solution
 
ParanormasticCryptographic EngineerCommented:
Did you import the p7b (I'm assuming this reference is the complete root certificate chain) into both the citrix server and the accessing client?  If not - do that - might choose to follow along next paragraph anyways to take care of two things at once.

If so, might try importing again and this time manually assigning the store, browse to select the store and checkmark the box to 'show physical stores' then select trusted root certification authorities store, then finish the wizard.  need local admin rights to do so - this will make it avaiable to all users as well instead of current user.

You can do this from your own CA or using a standard commercial SSL cert (godaddy, comodo, verisign, etc.)
0
 
tech2010Author Commented:
I don't want to install certificate on the client machine as my users always logon from different computers like sometimes from internet cafe, so i dont always tell them to install certificate on any machine when they logon. off course they dont know anything about certificate, so i just want to know that if i have only installed certificate on my server, should it not be enought for server and client?

Also please tell me if i install new certificate server. what option i should be selecting during installation like Enterprise root, Standalone etc.. which one is the best?

Thanks
0
 
ParanormasticCryptographic EngineerCommented:
If the accessing client does not have your internal CA's root certifcate in its trusted root CA store then it will not validate your server certificate.

Either you need to instruct your users that they must import your internal CA root cert from the p7b file or you must shell out a little bit of cash for one that is commonly recognized.  I'm not sure how well updated the internet cafe's are where you live and how well the users update things, based on that I would recommend either GoDaddy (if you would expect at least XP SP2 or better) or Comodo (for less frequent updated systems as well as current) for an inexpensive SSL certificate.  That way you don't need to worry about getting the root trusted since it will already be from Microsoft.

If there is one or two cafe's you are concerned about more than the rest (e.g. the place across the street) then you could open up internet options - content - view certificates; alternatively run certmgr.msc.  Look at the root CA tab and you will see if godaddy is in there or not - Comodo uses UTN user first root for most of their certs.  I think that one of Comodo's roots had an issue with some Citrix installs, but they have another functional root they can issue from to accommodate you if that is still an issue for their primary root - I'm not sure if that related to their current preferred root or an older one...  Can just ask their tech support they are friendly and knowledgeable.
0
 
ParanormasticCryptographic EngineerCommented:
Also please tell me if i install new certificate server. what option i should be selecting during installation like Enterprise root, Standalone etc.. which one is the best?

Sorry, I didn't answer this before... standalone is best for offline CA's (like your root) and also for issuing certs to third parties.  enterprise CA is good for AD integration, autoenrollment, and using certificate templates.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now