Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Certficate Overview and Problem

Posted on 2011-03-09
1
413 Views
Last Modified: 2012-05-11
I regards to that anoying invalid certficate warning that IE provides when accessing my own server (see picture):

I have a general question regarding certificates.  I understand the whole public key/private key thing.  I understand a server issues a SSL certficate and that the server can self create its certficate. I understand that there are authorities that verify the owners of the certficates because they know the private key that goes with the public key.  So please don't provide those answers as part of my question.

My question is 1)  Is there an genral overview that presents more clearly what all the different types of certficates are in the internet explorer/windows are?
Ie what are Intermediate CA, Trusted Root Certification A, Trusted Publisers.  What is the difference between them?

I have a server that I know is good.  I put it togeher. I created the certficate.  I know the keys.  Why can't I just install that certficate in "Trusted Publishers" "Intermediate CA", or "Trusted Root CA"?

I don't want to pay verisign or thwate for menial task that takes very little processing time.

What piece of knowledge am I missing?  What don't I understand?

Sincerely,
Dan


CertificateQuestionPicture.jpg
0
Comment
Question by:dwkrueger
1 Comment
 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 35087180
Usually, a browser won't accept a self signed server certificate into the store, no matter how hard you try.

Ignore Trusted Publisher for now, its not applicable. the three you need to manage are the end server certificate, the intermediate (if any) and the root CA.

Root CAs are self signed certificates that have the CA bit set. they are imported into the trusted root CA keystore.

Intermediates are CAs that are not self signed, but are signed by another CA. those can be imported into the intermediate keystore, supplied by the server, or fetched by the browser from a reference in the server certificate (the new method)

End user (server) certificates do not have the CA bit set, but instead have a usage bit set to indicate they are able to encrypt keys, digitally sign, and protect traffic.

Now, if you want to avoid having to pay for your own server's certificate AND don't really care if anyone else gets the warning, as long as your own staff don't, then what you do is to create your own root CA (MS enterprise server software has a CA, as does novell, or  you can use the free tool at http://sourceforge.net/projects/xca )

Using this CA, you export the CA certificate (only) and then import a signing request from your server as though you were thawte. you then export the signed certificate back out from your CA and import it into your server.

by adding your own CA into your trusted CA keystore (and into that of any other machines, using group policy, manually by double.clicking a CER file, or by exporting the registry key and importing that however you do registry imports) the server cert will be trusted, as it is signed by a CA in your trusted root CA keystore.
0

Featured Post

Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
MS hosted exhange security 2 46
Cisco Router Security Commands. 2 31
SOC, SIEM, IPS and FW 4 32
SCSM reports export 1 16
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
There's a lot of hype surrounding blockchain technology. Here's how it works and some of the novel ways it' s now being used - including for data protection.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

860 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question