CA Root certificate is not trusted

I have not worked much with certificates and have an enquiry.

We are currently in transition to an alternate ISP that will provide hosting and email but the new server is not yet setup with pointers to their nameservers.

When navigating to the admin panel or webmail login the following message is received...
"This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."

This will cause all users grief in not knowing what to do and I am not sure of the cause/resolution. Is this something that needs to be fixed on the ISP end so the certificate is trusted? Or is it something that needs to be done on each connecting PC so that the certificate is trusted? I have never had to do this before and feel it has to do with the new ISP. Further, I do not know if it is simply because we have not yet gone "live".

Make sense??
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


It depends if it needs to be done by all machines or by the ISP. To give a brief description on how certificates work..

Notrmally, you would have specific companies that everyone finds trustworthy, like VeriSign or Thawte. They have root certificates (which is the king of all certificates for that company) that is trusted by Internet Explorer because Microsoft says that they are both trustworthy companies. If you would liek to have your own certificate, you would go to VeriSign and ask for a certificate. Because They trust you (yes, you need to fill in a LOT of paper work :)) andf Microsoft trusts them (by root cert) Microsoft trust you.

If, however, you decide to create your own certtificate server, then you have your own godlike certificate which is not trusted by Microsoft, hence the error that the certificate is not trusted in the root certioficate authority store. If you are 100% absolutely sure that you trust the root certifiacte (so the company or person that assigned the certifiacte for your OWA), you can install it. Simply click on the certificate, press view (dependign on what version you have, just click a bit on the yellow lock IE shows) and install it by clicking next next next next...... etc etc and then finish. Voila, root certifiacte installed, root source trusted and error gone away :) :)
DanielTAuthor Commented:
I have not encountered this before with an ISP and would have thought they should have it "registered" so that it is trusted. As mentioned they are hosting web and eMail services (this is 3rd party, not internal). I would have expected it to be transparent and to not have to do this on each workstation that MAY access webmail.

Would it not be fair to request they "fix it"?
Will this correct itself when the site goes "live"?

Thanks, again....

Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

DanielTAuthor Commented:
I had already seen the E-E link but will have to study the MS link a little more closely.
Thanks for providing.

Realizing I may not be grasping this fully yet, I still have same questions as last posted...
- Would it not be expected that the ISP use a Windows Trusted Certificate?
- Will this perhaps correct itself (ie: the certificate be seen as trusted without overriding/trusting on each workstation) when the website goes "live"?

Again - I have never seen a certificate issue with any other ISP - so why now?
DanielT--Since I do not know the ISP, I think your questions are something to ask the new ISP.  If they want your business, they should try hard to answer and satisfy you.
DanielTAuthor Commented:
Appreciate your posts... never hurts (too much <grin>) to learn more!

Sorry if it has not been clear but I was trying to establish that what I am thinking is correct to approach the ISP as I am not all that familiar with certificates and have not encountered this issue before.

The site will now transition soon so I will see what happens and then contact them about the issue. Thought it might be a simple "Yes - they need to ensure their root certificate is trusted" before I did that.

If this is a production website and they are hosting it for you then yes, they should fix it, it is not your concern that they are using a non trusted certifiacte. I would ask them if this is just because the name of the site is different than the certificate ones. If so, don;t worry it will all ne fixed when you go into production, else they should update or change or do whatever with thet certificate..
ParanormasticCryptographic EngineerCommented:
If this just affects things that you will be accessing, like the admin console, then this isn't too big of a deal.  The webmail also isn't too big of a deal if you are the only one accessing it.  If this comes up on https: pages for your production site as well -that is more of an issue.

Some hosting companies provide an SSL cert as part of the package, some don't.  If they don't they will let you create your own self-signed certificate, which is probably what you are seeing.  Technically it works fine, but don't expect anyone else to trust it besides you and maybe your employees, if any.  They may offer a deal for getting an SSL cert or have a method for requesting a legitimate cert, say from Godaddy, Comodo, or Verisign, within their console - they may just provide the tools to create the cert request file that you can submit yourself to the cert vendor of your choice instead of them doing it for you.

The cheaper places tend to give less services in their package.  That's business.  Its why you get onions on your mcdonalds cheeseburger but you don't on your burger king cheeseburger.  You can ask BK to put onions on and they will do so, but you may or may not end up paying 30 cents extra for it.
DanielTAuthor Commented:
A little more detail...

Issue is fine now BUT there had been some confusion for accessing even when following up with them.

#1 http://webmail.domain.tld  WORKS without a certificate prompt
#2 http://domain.tld/webmail WORKS after you accept a private certificate

Sorry  but - What's the difference??

Yeah, a certificate is always givven out to a specific DNS name, thusd meaning the certificate they are using is being assigned to the webmail.domain.tld DNS name, not the domain.tld/webmail DNS name.. If you would use webmail.domain.tld/webmail it would also work..

If you click on the lock you see in your IE and then choose view ceretificate you will see to which site the certifiacte has been assigned to. Also, yhou will be able to see which company the certifiacte is assigned to (being your company or that of your ISP..)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DanielTAuthor Commented:
It is very helpful to get opinions for areas of IT that are not your "specialty".  
Thanks for your patience and persistence in answering.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Web Browsers

From novice to tech pro — start learning today.