Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2339
  • Last Modified:

This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store.

I installed Certificate Server & configured it per http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html

My intent is to issue SSL certificate for OWA and not get a "Certificate Error" in IE7.

When I access the web/OWA/Exchange server from a machine across the Internet, I receive the "Certificate Error".,  When I view the certificate, i find  "This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."

I believe the certificate server was to resolve this.

Where to go from here?
0
rwickersham
Asked:
rwickersham
2 Solutions
 
mikeewaltonCommented:
When you view the certificate, click install certificate, click place in following store, then place it in the trusted root store.  Close IE, reopen go back to the page, and the error will be gone.

YOu will have to do this on each and every client, the only way around it is to use a public cert.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
What mike said is essentially correct.

The only difference between a "commercial" (paid for) certificate and one you make yourself is that all browsers have the CA "root" certificate in their root stores by default, but yours is freshly minted and not in anyone's store.

However, you can push out new certificates to machines you control in several manners - if nothing else, they are just registry keys, and can be exported/imported as such. You can also push out new root certs via group policy (and in fact, can *issue* client side certificates in a similar manner, allowing you to use them for email security and client authentication) or, failing that, just email the root .cer file to all your users and tell them to double-click it.
0
 
rwickershamAuthor Commented:
I was confused on multiple items.  I understood, apparently mistakenly, from http://www.msexchange.org/tutorials/SSL_Enabling_OWA_2003.html, that manual importation of the certificate in the "trusted root store" was no longer necessary.  When I did add the certificate to the "trusted root store" I still received the error.  I failed to close & re-launch the browser.... Stoopid me!

Obviously, a GP push won't happen over the internet.

Lastly, I am gathering the certificate server merely generates self-signed certificates.  I have generated these over the years using OpenSSL.  How is the certificate server any different?  What additional functionality does the certificate server perform?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
ParanormasticCryptographic EngineerCommented:
That link is incomplete (or I'm missing where they mention this) - they should have instructed you to install the root cert on the server and the client.

You can make the root cert available on a public link - you will also need to have at least one of your CRL Distribution Points (CDP) and Authority Information Access (AIA) locations be publicly accessible - usually easiest to use a scheduled task on the CA to run a script prior to CRL expiration, then copy it to the public location.  Can script a CRL publish with: certsrv -crl

In your OWA documentation just include the instructions on how to import your root cert including the download URL.  You can always rename the .crt file to make it easier, e.g. http://www.domain.com/pki/CompanyRoot.crt

Alternatively, you can get a commercial cert for about 30 bucks from GoDaddy and it will be part of the cert store already for your users.  If you plan to go for ex2007 then you may want to look into getting a UC cert instead for about 70 bucks.
0
 
ParanormasticCryptographic EngineerCommented:
Lastly, I am gathering the certificate server merely generates self-signed certificates.  I have generated these over the years using OpenSSL.  How is the certificate server any different?  What additional functionality does the certificate server perform?


-- This is not completely correct.  The CA server will generate a single self-signed certificate for the root CA.  All certificates issued under that root will be signed by that root's certificate in some way - typically there will be at least a second tier subordinate CA that does the main issuing of certs, so the root itself only signs the sub CA directly.  Then the certficate chaining engine will process the signature trail up to the trusted root.

The advantage is that you only need to trust the root CA's cert.  Once that is in, all the rest are trusted.  You don't need to import the self-signed cert for every single web site, etc., that you use your cert for.

The commerical CA certs work the exact same way - the part you are paying for is the convenience that they are already have their root installed in most browsers already, and that they add a certain level of trust by validating that the company asserting the certificate is the legitimate owner (nothing more - they do not certify the business practices, just that they are who they say the are).
0
 
Dave HoweSoftware and Hardware EngineerCommented:
It has no additional functionality to a CA based on Openssl - however, in conjunction with AD, it can be used to force-issue certificates to workstations or users who are members of the domain (and that's it, there are no other additional features)

the only way to get a certificate that is already accepted (ie leads to a root cert in the certificate store of the connecting machine) is to force that certificate there out-of-band or to buy one from a CA whose certificate is supplied with the browser.
0
 
Dave HoweSoftware and Hardware EngineerCommented:
oh, and the ms CA generates two level certificates - it has a self signed (CA) issuing certificate, which it uses to sign actual end-node certificates (so web server or user)
0
 
ParanormasticCryptographic EngineerCommented:
Anything else we can help you with, or are you all set?
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now