• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1240
  • Last Modified:

Certificate Authority problem

Hi! I'm trying to setup a Certficate server. We currently have a Windows 2003 Server which is running IIS. We wish to run the Standalone Root CA on a separate server. Everytime I've tried to use the certificate on a website, the certificate indicates "this certificate cannot be verified up to a trusted certification authority". I've tried to apply a certificate to the IIS default site running on the CA server and it does not give me this error. Do I need to setup a subordinate CA or what am I doing wrong? Could someone provide me with detailed instructions on how to set this up?

Thanks!
0
beaujeanjp
Asked:
beaujeanjp
1 Solution
 
lamaslanyCommented:
Have you imported the CA Root certificate into the Trusted Root Certificatation Authorities list for the computer store?
0
 
segurahCommented:
You must deploy CA Root certificate en every machine that wish make transaction with the Certificate server in order that the client machine can track the root and verify if tha the certificate that is using was signed by the root.
0
 
beaujeanjpAuthor Commented:
No. Sorry, my knowledge of CA is limited to what I've read, and I haven't found anything mentioning importing the CA root certificate, How is this done?

0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
beaujeanjpAuthor Commented:
I just wanted to mention these servers are not part of a domain.
0
 
ParanormasticCryptographic EngineerCommented:
You need to have the root CA certificate installed to the trusted root store for both the server and the client - usually the easiest way to do this is via GPO:
Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

For non-GPO clients, instruct the users to install the certificate - usually the default settings will work regardless of admin rights, but if not then with admin rights try specifying the trusted root store and checking the 'show physical stores' box.

That being said, it is also generally advisable to set up a subordinate CA.  The root CA should be kept offline and only issue certs to create subordinate CAs.  The reason for this is that you cannot revoke a root CA certificate like you can any other certificate under that root.  To save on hardware costs, using virtual machines and storing the VM image on a removable hard drive is one way to keep costs down while maintaining a fairly high security PKI.  The root CA will become the heart of all things IT security - if something happens to that, the cascading issues can be dramatic.  CAs generally don't have high hardware requirements unless your organization is very large, in which case it might be justified to look into an HSM for security and crypto processing speed.

If you really wanted to, you can use the same root to issue two subordinate CAs - one for your standalone CA needs (presuming 3rd party usage here) and another as an enterprise CA (recommend enterprise edition OS for this) so you can integrate with AD, get autoenrollment, templates, and all that good stuff.
0
 
ParanormasticCryptographic EngineerCommented:
To start installing the cert - right click the .crt file and select 'install certificate'.

You can download the CA certficate from http://CAserver/certsrv and selecting the 3rd option - from here you can download the CA certificate or CA certificate chain.  Base64 is more commonly preferred format, but most applications will accept whichever format you choose here.

For standalone servers, it is not a problem to not be part of the domain.  For the offline root mentioned in my last post - this is actually the preferred way of doing it since the root should be powered down most of the time, except to publish a new CRL every now and then, which you can copy to the CertEnroll directory on the subordinate CA and use a simple copy script from there to move the CRL to the CDP locations.
0
 
beaujeanjpAuthor Commented:
Alright! At the moment, we can't afford to have an offline Root CA. Secondly, I'm a noob in regards to certificate services and some of the terminology that you use. Is it possible to give me a step-by-step of how to import the CA root certificate for the setup I'm currently running (IIS on server1 and CA on server2)?

Thanks for the quick responses!
0
 
ParanormasticCryptographic EngineerCommented:
Using Group Policy:
http://technet.microsoft.com/en-us/library/cc738131.aspx

Easy install:
http://server2/certsrv/certcarc.asp
(need to allow ActiveX)
Click on "install this CA certificate chain."

0
 
beaujeanjpAuthor Commented:
I no longer get "this certificate cannot be verified up to a trusted certification authority", but when I visit the site after installing the certificate (btw, I set the site so it would require a certificate and ssl), IE tells me that there's a problem with the certificate of the site, if I click on continue to this website, it gives me an http 403.7 error. If I change the require to accept client certificates. It gives me the same prompt to "continue to the website", I can access it, but get certificate error. Any ideas?
0
 
beaujeanjpAuthor Commented:
I wanted to check something out. Can I put for a common name CN=<company name> CA, O=<company name>,O=CA or should it be CN=<computer name>,DC=...,DC=...? Some of the problems I'm having may be related, I'm not sure.
0
 
ParanormasticCryptographic EngineerCommented:
Don't enable client certificates.  This is for requiring that the user has a client certificate issued to them that is mapped in IIS to a user account (so the cert is used instead of passwords).  This is not commonly done, so unless you have a requirement to do so, I would recommend not enabling this option.

The CN can be either the full canonical name, or most people just cheat it a little bit and enter CN=server2.domain.com.
0
 
beaujeanjpAuthor Commented:
Are you talking about client certificate mapping or the section "client certificates", which gives you 3 choices: ignore, accept or require? Because this is something we will need eventually so just certain people will be able to access certain sites, but for now, I only need the basics to work without a hitch. OK, I tried disabling the client certificate. Doesn't change anything in regards to the certificate error.
0
 
beaujeanjpAuthor Commented:
I was thinking of re-starting from scratch the install of just the CA.
0
 
beaujeanjpAuthor Commented:
OK! I uninstalled the CA, and re-installed it. I put the common name in "server2.domain.com" form. I requested a certificate for the site, installed this certificate on the site and the my browser. Still gives me the "continue to this website" prompt.
0
 
beaujeanjpAuthor Commented:
Still can't get this work. I'm looking into getting my self signed cert trusted.
0
 
beaujeanjpAuthor Commented:
Here's something. I get an error stating that windows cannot verify the certificate and to use the thumbprint to verify it with the website. I guess the configuration of the certificate is wrong.
0
 
ParanormasticCryptographic EngineerCommented:
The ignore/accept/require for client certificates relates to client certificate mapping.  The actual mapping of one or many certificates to accounts happens in a different area.  They are both related to each other - one area is the policy, the  other area is the configuration.  Both should normally be ignored.  There's a time and place for everything, but the overhead for configuring client cert auth makes it kind of annoying and in most cases a normal SSL session is enough security.

Did you get the root CA certificate installed into the Trusted Root Certification Authorities certificate store as initially suggested?  When you reinstalled the CA with the different name it would have created a new CA certificate.
0
 
beaujeanjpAuthor Commented:
If you mean this:
"Easy install:
http://server2/certsrv/certcarc.asp
(need to allow ActiveX)
Click on "install this CA certificate chain"

Then yes! This was done. I set the client certificate mapping to ignore. Still get the "continue to the website" prompt though. What we want to eventually do is to have our clients access certain sites that are on our server, and that people that don't have a certificate for the site, cannot access it, but like I said, I need to get the basics working first.
0
 
beaujeanjpAuthor Commented:
When I try to import the certificate in IE8 in the trusted root list, it does not appear.
0
 
beaujeanjpAuthor Commented:
Sorry! I think I just understood what you've been trying to tell me. I installed the certificate chain on the server running IIS and was trying to access the site from my computer and was getting the certificate error "this certificate cannot be verified up to a trusted certification authority". Now I've installed this same certificate chain on my computer and no longer get the error, but how would I get this to work for clients that visit this site, and this can be anyone. We wish to use self-signed certificates and we don't wish to get one from a 3rd party.
0
 
ParanormasticCryptographic EngineerCommented:
That's where the commerical CA's make their money - they paid the bucks to get a trusted environment and were approved by Microsoft, etc., so their root certificate will already be installed into random customer computers.

To use your own root certificate for this, you would need to create documentation of the process and distribute that and require that your business partners, employees, etc. install your root certificate - but ultimately it is up to them to do so.  If you are using this for a general consumer website where you don't already have an association with the users, then this is not normally considered to be a proper solution and you should go with a commercial CA's certificate.  Generally speaking, unless you already know your users connecting to servers protected by your internal certificates, you should not expect most users to trust your root CA enough to import it into their trusted root certificate store.

If you need a commercial certificate, GoDaddy.com has SSL certificates for a very reasonable price of about US$30 per year and their root certificate is already installed for your customers so they don't need to go through all of that.
0
 
beaujeanjpAuthor Commented:
One of the sites is for general consumer use and that's the one I've working on. The others should not be a problem since we will be installing the certificates ourselves when the time comes. So, no choice but to get a Commercial CA's certificate.
0
 
ParanormasticCryptographic EngineerCommented:
Yes, unfortunately the public's desire for a warning-free first visit to establish trust before they spend their cash outweighs the business desire to save a few bucks.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now