Certificate Authority problem

Have you imported the CA Root certificate into the Trusted Root Certificatation Authorities list for the computer store?

You must deploy CA Root certificate en every machine that wish make transaction with the Certificate server in order that the client machine can track the root and verify if tha the certificate that is using was signed by the root.

No. Sorry, my knowledge of CA is limited to what I've read, and I haven't found anything mentioning importing the CA root certificate, How is this done?

I just wanted to mention these servers are not part of a domain.

You need to have the root CA certificate installed to the trusted root store for both the server and the client - usually the easiest way to do this is via GPO:
Computer Configuration/Windows Settings/Security Settings/Public Key Policies/Trusted Root Certification Authorities

For non-GPO clients, instruct the users to install the certificate - usually the default settings will work regardless of admin rights, but if not then with admin rights try specifying the trusted root store and checking the 'show physical stores' box.

That being said, it is also generally advisable to set up a subordinate CA.  The root CA should be kept offline and only issue certs to create subordinate CAs.  The reason for this is that you cannot revoke a root CA certificate like you can any other certificate under that root.  To save on hardware costs, using virtual machines and storing the VM image on a removable hard drive is one way to keep costs down while maintaining a fairly high security PKI.  The root CA will become the heart of all things IT security - if something happens to that, the cascading issues can be dramatic.  CAs generally don't have high hardware requirements unless your organization is very large, in which case it might be justified to look into an HSM for security and crypto processing speed.

If you really wanted to, you can use the same root to issue two subordinate CAs - one for your standalone CA needs (presuming 3rd party usage here) and another as an enterprise CA (recommend enterprise edition OS for this) so you can integrate with AD, get autoenrollment, templates, and all that good stuff.

To start installing the cert - right click the .crt file and select 'install certificate'.

You can download the CA certficate from http://CAserver/certsrv and selecting the 3rd option - from here you can download the CA certificate or CA certificate chain.  Base64 is more commonly preferred format, but most applications will accept whichever format you choose here.

For standalone servers, it is not a problem to not be part of the domain.  For the offline root mentioned in my last post - this is actually the preferred way of doing it since the root should be powered down most of the time, except to publish a new CRL every now and then, which you can copy to the CertEnroll directory on the subordinate CA and use a simple copy script from there to move the CRL to the CDP locations.

Alright! At the moment, we can't afford to have an offline Root CA. Secondly, I'm a noob in regards to certificate services and some of the terminology that you use. Is it possible to give me a step-by-step of how to import the CA root certificate for the setup I'm currently running (IIS on server1 and CA on server2)?

Thanks for the quick responses!

Using Group Policy:
http://technet.microsoft.com/en-us/library/cc738131.aspx

Easy install:
http://server2/certsrv/certcarc.asp
(need to allow ActiveX)
Click on "install this CA certificate chain."

I no longer get "this certificate cannot be verified up to a trusted certification authority", but when I visit the site after installing the certificate (btw, I set the site so it would require a certificate and ssl), IE tells me that there's a problem with the certificate of the site, if I click on continue to this website, it gives me an http 403.7 error. If I change the require to accept client certificates. It gives me the same prompt to "continue to the website", I can access it, but get certificate error. Any ideas?

I wanted to check something out. Can I put for a common name CN=<company name> CA, O=<company name>,O=CA or should it be CN=<computer name>,DC=...,DC=...? Some of the problems I'm having may be related, I'm not sure.

Don't enable client certificates.  This is for requiring that the user has a client certificate issued to them that is mapped in IIS to a user account (so the cert is used instead of passwords).  This is not commonly done, so unless you have a requirement to do so, I would recommend not enabling this option.

The CN can be either the full canonical name, or most people just cheat it a little bit and enter CN=server2.domain.com.

Are you talking about client certificate mapping or the section "client certificates", which gives you 3 choices: ignore, accept or require? Because this is something we will need eventually so just certain people will be able to access certain sites, but for now, I only need the basics to work without a hitch. OK, I tried disabling the client certificate. Doesn't change anything in regards to the certificate error.

I was thinking of re-starting from scratch the install of just the CA.

OK! I uninstalled the CA, and re-installed it. I put the common name in "server2.domain.com" form. I requested a certificate for the site, installed this certificate on the site and the my browser. Still gives me the "continue to this website" prompt.

Still can't get this work. I'm looking into getting my self signed cert trusted.

Here's something. I get an error stating that windows cannot verify the certificate and to use the thumbprint to verify it with the website. I guess the configuration of the certificate is wrong.

The ignore/accept/require for client certificates relates to client certificate mapping.  The actual mapping of one or many certificates to accounts happens in a different area.  They are both related to each other - one area is the policy, the  other area is the configuration.  Both should normally be ignored.  There's a time and place for everything, but the overhead for configuring client cert auth makes it kind of annoying and in most cases a normal SSL session is enough security.

Did you get the root CA certificate installed into the Trusted Root Certification Authorities certificate store as initially suggested?  When you reinstalled the CA with the different name it would have created a new CA certificate.

If you mean this:
"Easy install:
http://server2/certsrv/certcarc.asp
(need to allow ActiveX)
Click on "install this CA certificate chain"

Then yes! This was done. I set the client certificate mapping to ignore. Still get the "continue to the website" prompt though. What we want to eventually do is to have our clients access certain sites that are on our server, and that people that don't have a certificate for the site, cannot access it, but like I said, I need to get the basics working first.

When I try to import the certificate in IE8 in the trusted root list, it does not appear.

Sorry! I think I just understood what you've been trying to tell me. I installed the certificate chain on the server running IIS and was trying to access the site from my computer and was getting the certificate error "this certificate cannot be verified up to a trusted certification authority". Now I've installed this same certificate chain on my computer and no longer get the error, but how would I get this to work for clients that visit this site, and this can be anyone. We wish to use self-signed certificates and we don't wish to get one from a 3rd party.

One of the sites is for general consumer use and that's the one I've working on. The others should not be a problem since we will be installing the certificates ourselves when the time comes. So, no choice but to get a Commercial CA's certificate.

Yes, unfortunately the public's desire for a warning-free first visit to establish trust before they spend their cash outweighs the business desire to save a few bucks.