Solved

CA Root certificate is not trusted

Posted on 2009-07-14
11
995 Views
Last Modified: 2013-12-08
I have not worked much with certificates and have an enquiry.

We are currently in transition to an alternate ISP that will provide hosting and email but the new server is not yet setup with pointers to their nameservers.

When navigating to the admin panel or webmail login the following message is received...
"This CA Root certificate is not trusted because it is not in the Trusted Root Certification Authorities store."

This will cause all users grief in not knowing what to do and I am not sure of the cause/resolution. Is this something that needs to be fixed on the ISP end so the certificate is trusted? Or is it something that needs to be done on each connecting PC so that the certificate is trusted? I have never had to do this before and feel it has to do with the new ISP. Further, I do not know if it is simply because we have not yet gone "live".

Make sense??
0
Comment
Question by:DanielT
  • 5
  • 3
  • 2
  • +1
11 Comments
 
LVL 23

Expert Comment

by:rhandels
ID: 24854404
Hey,

It depends if it needs to be done by all machines or by the ISP. To give a brief description on how certificates work..

Notrmally, you would have specific companies that everyone finds trustworthy, like VeriSign or Thawte. They have root certificates (which is the king of all certificates for that company) that is trusted by Internet Explorer because Microsoft says that they are both trustworthy companies. If you would liek to have your own certificate, you would go to VeriSign and ask for a certificate. Because They trust you (yes, you need to fill in a LOT of paper work :)) andf Microsoft trusts them (by root cert) Microsoft trust you.

If, however, you decide to create your own certtificate server, then you have your own godlike certificate which is not trusted by Microsoft, hence the error that the certificate is not trusted in the root certioficate authority store. If you are 100% absolutely sure that you trust the root certifiacte (so the company or person that assigned the certifiacte for your OWA), you can install it. Simply click on the certificate, press view (dependign on what version you have, just click a bit on the yellow lock IE shows) and install it by clicking next next next next...... etc etc and then finish. Voila, root certifiacte installed, root source trusted and error gone away :) :)
0
 
LVL 2

Author Comment

by:DanielT
ID: 24854586
I have not encountered this before with an ISP and would have thought they should have it "registered" so that it is trusted. As mentioned they are hosting web and eMail services (this is 3rd party, not internal). I would have expected it to be transparent and to not have to do this on each workstation that MAY access webmail.

Would it not be fair to request they "fix it"?
Will this correct itself when the site goes "live"?

Thanks, again....

0
 
LVL 50

Expert Comment

by:jcimarron
ID: 24855097
0
 
LVL 2

Author Comment

by:DanielT
ID: 24855342
I had already seen the E-E link but will have to study the MS link a little more closely.
Thanks for providing.

Realizing I may not be grasping this fully yet, I still have same questions as last posted...
- Would it not be expected that the ISP use a Windows Trusted Certificate?
and
- Will this perhaps correct itself (ie: the certificate be seen as trusted without overriding/trusting on each workstation) when the website goes "live"?

Again - I have never seen a certificate issue with any other ISP - so why now?
0
 
LVL 50

Expert Comment

by:jcimarron
ID: 24855619
DanielT--Since I do not know the ISP, I think your questions are something to ask the new ISP.  If they want your business, they should try hard to answer and satisfy you.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 2

Author Comment

by:DanielT
ID: 24855688
Appreciate your posts... never hurts (too much <grin>) to learn more!

Sorry if it has not been clear but I was trying to establish that what I am thinking is correct to approach the ISP as I am not all that familiar with certificates and have not encountered this issue before.

The site will now transition soon so I will see what happens and then contact them about the issue. Thought it might be a simple "Yes - they need to ensure their root certificate is trusted" before I did that.
0
 
LVL 23

Expert Comment

by:rhandels
ID: 24856763
Hey,

If this is a production website and they are hosting it for you then yes, they should fix it, it is not your concern that they are using a non trusted certifiacte. I would ask them if this is just because the name of the site is different than the certificate ones. If so, don;t worry it will all ne fixed when you go into production, else they should update or change or do whatever with thet certificate..
0
 
LVL 31

Assisted Solution

by:Paranormastic
Paranormastic earned 100 total points
ID: 24859487
If this just affects things that you will be accessing, like the admin console, then this isn't too big of a deal.  The webmail also isn't too big of a deal if you are the only one accessing it.  If this comes up on https: pages for your production site as well -that is more of an issue.

Some hosting companies provide an SSL cert as part of the package, some don't.  If they don't they will let you create your own self-signed certificate, which is probably what you are seeing.  Technically it works fine, but don't expect anyone else to trust it besides you and maybe your employees, if any.  They may offer a deal for getting an SSL cert or have a method for requesting a legitimate cert, say from Godaddy, Comodo, or Verisign, within their console - they may just provide the tools to create the cert request file that you can submit yourself to the cert vendor of your choice instead of them doing it for you.

The cheaper places tend to give less services in their package.  That's business.  Its why you get onions on your mcdonalds cheeseburger but you don't on your burger king cheeseburger.  You can ask BK to put onions on and they will do so, but you may or may not end up paying 30 cents extra for it.
0
 
LVL 2

Author Comment

by:DanielT
ID: 24900862
A little more detail...

Issue is fine now BUT there had been some confusion for accessing even when following up with them.

#1 http://webmail.domain.tld  WORKS without a certificate prompt
#2 http://domain.tld/webmail WORKS after you accept a private certificate

Sorry  but - What's the difference??

0
 
LVL 23

Accepted Solution

by:
rhandels earned 250 total points
ID: 24902183
Yeah, a certificate is always givven out to a specific DNS name, thusd meaning the certificate they are using is being assigned to the webmail.domain.tld DNS name, not the domain.tld/webmail DNS name.. If you would use webmail.domain.tld/webmail it would also work..

If you click on the lock you see in your IE and then choose view ceretificate you will see to which site the certifiacte has been assigned to. Also, yhou will be able to see which company the certifiacte is assigned to (being your company or that of your ISP..)
0
 
LVL 2

Author Closing Comment

by:DanielT
ID: 31603500
It is very helpful to get opinions for areas of IT that are not your "specialty".  
Thanks for your patience and persistence in answering.
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

Suggested Solutions

These are on the increase and getting more common these days. Users who use the Google search engine may complain of having their search redirected to unwanted sites, regardless of what browser is used. This happens when the system is infected with…
The purpose of this Article is to provide information for a newly released variant of malware – with the assumption that many EE Members will have need of the information. According to “Computerworld”, well over one million web sites have been co…
This Micro Tutorial will demonstrate how nuggets on the Web are formatted by using Chrome Developer Tools. These tools would not only view the site's CSS but it can also modify it and save the CSS to use on your own site.
How to create a custom search shortcut to site-search Experts Exchange using Google in the Firefox browser. This eliminates the need to type out site:experts-exchange.com whenever you want to search the site. Launch your Bookmark Menu: Press 'Ctrl +…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now