Solved

Generate a certificate from privately own certificate server

Posted on 2009-04-06
4
696 Views
Last Modified: 2012-05-06
Hi

My knowledge in certificates is very limited.

I was working on configuring Citrix secure gateway where there was requirement to install certificate on that gateway server which is running on Windows 2003, IIS 6, in the dmz.

So i installed Microsoft certificate service on other server in our LAN and then generated a certificate for my gateway server. Off course before that i had generate CSR (cert request) from IIS. And then i downloaded .p7b and .cer file and installed those certificates on my gateway server.

However now when i access my gateway server i get the first certifcate mesage on which i click continue to move further and then in while accessing my applications it give me error SSL error saying that my certificate not generated from trusted root. so my question is that is it neccessary to purchase a certificate from CA e.g verisign etc.. or should it work with my own generated certificate?

Thanks
0
Comment
Question by:tech2010
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24081642
Did you import the p7b (I'm assuming this reference is the complete root certificate chain) into both the citrix server and the accessing client?  If not - do that - might choose to follow along next paragraph anyways to take care of two things at once.

If so, might try importing again and this time manually assigning the store, browse to select the store and checkmark the box to 'show physical stores' then select trusted root certification authorities store, then finish the wizard.  need local admin rights to do so - this will make it avaiable to all users as well instead of current user.

You can do this from your own CA or using a standard commercial SSL cert (godaddy, comodo, verisign, etc.)
0
 

Author Comment

by:tech2010
ID: 24082253
I don't want to install certificate on the client machine as my users always logon from different computers like sometimes from internet cafe, so i dont always tell them to install certificate on any machine when they logon. off course they dont know anything about certificate, so i just want to know that if i have only installed certificate on my server, should it not be enought for server and client?

Also please tell me if i install new certificate server. what option i should be selecting during installation like Enterprise root, Standalone etc.. which one is the best?

Thanks
0
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24088713
If the accessing client does not have your internal CA's root certifcate in its trusted root CA store then it will not validate your server certificate.

Either you need to instruct your users that they must import your internal CA root cert from the p7b file or you must shell out a little bit of cash for one that is commonly recognized.  I'm not sure how well updated the internet cafe's are where you live and how well the users update things, based on that I would recommend either GoDaddy (if you would expect at least XP SP2 or better) or Comodo (for less frequent updated systems as well as current) for an inexpensive SSL certificate.  That way you don't need to worry about getting the root trusted since it will already be from Microsoft.

If there is one or two cafe's you are concerned about more than the rest (e.g. the place across the street) then you could open up internet options - content - view certificates; alternatively run certmgr.msc.  Look at the root CA tab and you will see if godaddy is in there or not - Comodo uses UTN user first root for most of their certs.  I think that one of Comodo's roots had an issue with some Citrix installs, but they have another functional root they can issue from to accommodate you if that is still an issue for their primary root - I'm not sure if that related to their current preferred root or an older one...  Can just ask their tech support they are friendly and knowledgeable.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24116988
Also please tell me if i install new certificate server. what option i should be selecting during installation like Enterprise root, Standalone etc.. which one is the best?

Sorry, I didn't answer this before... standalone is best for offline CA's (like your root) and also for issuing certs to third parties.  enterprise CA is good for AD integration, autoenrollment, and using certificate templates.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick step-by-step overview of installing and configuring Carbonite Server Backup.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question