pensiongenius
asked on
Having SSL Cert trouble with group policies applied.
Greetings.
I am having some trouble tracking down a problem with SSL Certs (specifically EV) with computers that have group policies applied.
Basically I feel that Group Policies are prohibiting IE8 from importing the certificates to show that a site has Extended Validation enabled. They are able to get to the websites and correctly show the SSL lock in IE. But they aren't able to view the 'green' address bar.
If I remove the computer from group policies and reboot, then try visiting a site, gmail.com for example, the address bar turns green and notes the extended validation.
If I then switch the computer back to a group policy it will correctly show the EV cert. But not until it is removed from group policies and can hit the website to obtain the cert and finally put back behind a group policy.
I have checked the few settings that group policies can configure but they never seem to enable what I am looking for.
I am mainly focusing in -> Computer Config -> Policies -> Windows Settings -> Security Settings -> Public Key Policies
Our environment is as follows.. Windows Server 2008 Domain / Active Directory / Group Policies. Clients are XP (sp3) and 7. IE8 is the browser in question. We do use an internet proxy (Postini) but have tested on and off the proxy and that doesn't seem to make a difference.
So I just cannot figure out what the problem is. Any help would be much appreciated. Thank you.
I am having some trouble tracking down a problem with SSL Certs (specifically EV) with computers that have group policies applied.
Basically I feel that Group Policies are prohibiting IE8 from importing the certificates to show that a site has Extended Validation enabled. They are able to get to the websites and correctly show the SSL lock in IE. But they aren't able to view the 'green' address bar.
If I remove the computer from group policies and reboot, then try visiting a site, gmail.com for example, the address bar turns green and notes the extended validation.
If I then switch the computer back to a group policy it will correctly show the EV cert. But not until it is removed from group policies and can hit the website to obtain the cert and finally put back behind a group policy.
I have checked the few settings that group policies can configure but they never seem to enable what I am looking for.
I am mainly focusing in -> Computer Config -> Policies -> Windows Settings -> Security Settings -> Public Key Policies
Our environment is as follows.. Windows Server 2008 Domain / Active Directory / Group Policies. Clients are XP (sp3) and 7. IE8 is the browser in question. We do use an internet proxy (Postini) but have tested on and off the proxy and that doesn't seem to make a difference.
So I just cannot figure out what the problem is. Any help would be much appreciated. Thank you.
Probably have windows update restricted. Root certs are updated 'as-needed' via windows update. Since many EV cert issuing roots are newer they may not already be pre-populated and need to be downloaded.
ASKER
I gave a look through WSUS and we do have the Root Cert updates approved for the November 2009 Root Certificate. Best I can tell that is the most recent one per http://support.microsoft.com/kb/931125.
I verfied my test machine was listed as having that update installed and it was.
I also performed a manual Windows Update while the machine was off Group Policy and did not find any Root Cert updates waiting for it.
I was hoping before that something along those lines would fix it as well.
I verfied my test machine was listed as having that update installed and it was.
I also performed a manual Windows Update while the machine was off Group Policy and did not find any Root Cert updates waiting for it.
I was hoping before that something along those lines would fix it as well.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.